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Abstract 

Consider a distributed system N in which each agent has an input value and each communi- 
cation link has a weight. Given a global function, that is, a function / whose value depends on 
the whole network, the goal is for every agent to eventually compute the value f(N). We call 
this problem global function computation. Various solutions for instances of this problem, such 
as Boolean function computation, leader election, (minimum) spanning tree construction, and net- 
work determination, have been proposed, each under particular assumptions about what processors 
know about the system and how this knowledge can be acquired. We give a necessary and suf- 
ficient condition for the problem to be solvable that generalizes a number of well-known results 



| Attyia, Snir, and Warmuth 1988[|Yamashita and Kameda 1996llYamashita and Kameda 19991 . We 
then provide a knowledge-based (kb) program (like those of Fagin, Halpern, Moses, and Vardi 1119951 
1997|) that solves global function computation whenever possible. Finally, we improve the mes- 
sage overhead inherent in our initial kb program by giving a counter/actual belief-based program 



| Halpern and Moses 2004 1 that also solves the global function computation whenever possible, but 
where agents send messages only when they believe it is necessary to do so. The latter program is 
shown to be implemented by a number of well-known algorithms for solving leader election. 



1 Introduction 

Consider a distributed system N in which each agent has an input value and each communication link 
has a weight. Given a global function, that is, a function / whose value depends on the whole network, 
the goal is for every agent to eventually compute the value f(N). We call this problem global function 
computation. Many distributed protocols involve computing some global function of the network. This 
problem is typically straightforward if the network is known. For example, if the goal is to compute 
the spanning tree of the network, one can simply apply one of the well-known algorithms proposed 
by Kruskal or Prim. However, in a distributed setting, agents may have only local information, which 
makes the problem more difficult. For example, the algorithm proposed by Gallager, Humblet and Spira 
11198311 is known for its complexity^ Moreover, the algorithm does not work for all networks, although 
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0055. 

'Gallager, Humblet, and Spira's algorithm does not actually solve the minimum spanning tree as we have defined it, since 
agents do not compute the minimum spanning tree, but only learn relevant information about it, such as which of its edges 
lead in the direction of the root. 
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it is guaranteed to work correctly when agents have distinct inputs and no two edges have identical 
weights. 

Computing shortest paths between nodes in a network is another instance of global function com- 
putation that has been studied extensively MFord andFulkerson 1962tlBeilman 19581 . The well-known 



leader election problem | Lynch 1997 1 can also be viewed as an instance of global computation in all 
systems where agents have distinct inputs: the leader is the agent with the largest (or smallest) in- 
put. The difficulty in solving global function computation depends on what processors know. For 
example, when processors know their identifiers (names) and all ids are unique, several solutions for 
the leader election problem have been proposed, both in the synchronous and asynchronous settings 



DChang and Roberts 1979| ILe Lann 19771 Peterson 1 9821. On the other hand, Angluin [19801, and 



Johnson and Schneider 1119851 proved that it is impossible to deterministically elect a leader if agents 
may share names. In a similar vein, Attiya, Snir and Warmuth [ 1988 ] prove that there is no deterministic 
algorithm that computes a non-constant Boolean global function in a ring of unknown and arbitrarily 
large size if agents' names are not necessarily unique. Attiya, Gorbach, and Moran [2002 ] characterize 
what can be computed in what they call totally anonymous shared memory systems, where access to 
shared memory is anonymous. 

We aim to better understand what agents need to know to compute a global function. We do this 
using the framework of knowledge-based (kb) programs, proposed by Fagin, Halpern, Moses and Vardi 
1119951 [T9971 . Intuitively, in a kb program, an agent's actions may depend on his knowledge. To say 
that the agent with identity i knows some fact ip we simply write Knp. For example, if agent i sends 
a message msg to agent j only if he does not know that j already has the message, then the agent is 
following a kb program that can be written as 

if Ki(hasj(msg)) then skip else send(msg). 

Knowledge-based programs absttact away from particular details of implementation and generalize 
classes of standard programs. They provide a high-level framework for the design and specification 
of distributed protocols. They have been applied to a number of problems, such as atomic commit- 
ment [Hadzilacos 1987 ], distributed commitment [Mazer and Lochovsky 1990], Byzantine agreement 



HDwork and Moses 1990[ Halpern, Moses, and Waarts~2~001[, sequence transmission [Halpern and Zuck 1992], 



and analyzing the TCP protocol [Stulp and Verbrugge 2002]. 



We first characterize when global function computation is solvable, i.e., for which networks N and 
global functions / agents can eventually learn f(N). As we said earlier, whether or not agents can learn 
f(N) depends on what they initially know about N. We model what agents initially know as a set M 
of networks; the intuition is that M is the set of all networks such that it is common knowledge that N 
belongs to TV. For example, if it is commonly known that the network is a ring, M is the set of all rings; 
this corresponds to the setting considered by Attiya, Snir and Warmuth 119881 . If, in addition, the size 
n of N is common knowledge, then N is the (smaller) set of all rings of size n. Yamashita and Kameda 
[1996 ] focus on three different types of sets N: (1) for a given n, the set of all networks of size n, (2) 
for a fixed d, the set of all networks of diameter at most d, and (3) for a graph G, the set of networks 
whose underlying graph is G, for all possible labelings of nodes and edges. In general, the more that is 
initially known, the smaller M is. Our problem can be rephrased as follows: given N and /, for which 
sets TV is it possible for all agents in N to eventually learn f{N)l 

For simplicity, we assume that the network is finite and connected, that communication is reliable, 
and that no agent fails. Consider the following simple protocol, run by each agent in the network: 
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agents start by sending what they initially know to all of their neighbors; agents wait until they receive 
information from all their neighbors; and then agents transmit all they know on all outgoing links. 
This is a full-information protocol, since agents send to their neighbors everything they know. Clearly 
with the full-information protocol all agents will eventually know all available information about the 
network. Intuitively, if f(N) can be computed at all, then it can be computed when agents run this 
full-information protocol. However, there are cases when this protocol fails; no matter how long agents 
run the protocol, they will never learn f(N). This can happen because 

1. although the agents actually have all the information they could possibly get, and this information 
suffices to compute the value of /, the agents do not know this; 

2. although the agents have all the information they could possibly get (and perhaps even know this), 
the information does not suffice to compute the function value. 

In Section |2l we illustrate these situations with simple examples. We show that there is a natural way 
of capturing what agents know in terms of bisimilarity relations [Miln er 19891 . and use bisimilarity to 
characterize exactly when global function computation is solvable. We show that this characterization 
provides a significant generalization of results of Attiya, Snir, and Warmuth 1119881 and Yamashita and 
Kameda fl999l . 

We then show that the simple program where each agent just forwards all the new information 
it obtains about the network solves the global function computation problem whenever possible. It is 
perhaps obvious that, if anything works at all, this program works. We show that the program terminates 
with each agent knowing the global function value iff the condition that we have identified holds. 

Our program, while correct, is typically not optimal in terms of the number of messages sent. Gen- 
erally speaking, the problem is that agents may send information to agents who already know it or will 
get it via another route. For example, consider an oriented ring. A simple strategy of always sending 
information to the right is just as effective as sending information in both directions. Thus, roughly 
speaking, we want to change the program so that an agent sends whatever information he learns to a 
neighbor only if he does not know that the neighbor will eventually learn it anyway. 

Since agents decide which actions to perform based on what they know, this will be a kb program. 
While the intuition behind this kb program is quite straightforward, there are subtleties involved in 
formalizing it. One problem is that, in describing kb programs, it has been assumed that names are 
commonly known. However, if the network size is unknown, then the names of all the agents in the 
network cannot be commonly known. Things get even more complicated if we assume that identifiers 
are not unique. For example, if identifiers are not unique, it does not make sense to write "agent i knows 
tp"; Kiip is not well defined if more than one agent can have the id i. 

We deal with these problems using techniques introduced by Grove and Halpern 1119951 11993II . 
Observe that it makes perfect sense to talk about each agent acting based on his own knowledge by 
saying "if / know tp, then . . . ". / here represents the name each agent uses to refer to himself. This 
deals with self -reference; by using relative names appropriately, we can also handle the problem of how 
an agent refers to other agents. 

A second problem arises in expressing the fact that an agent should send information to a neighbor 
only if the neighbor will not eventually learn it anyway. As shown by Halpern and Moses [2004] 
the most obvious way of expressing it does not work; to capture this intuition correctly we must use 
counter) 'actuals. These are statements of the form tp > tp, which are read "if tp then if;", but the "if 
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... then" is not treated as a standard material implication. In particular, the formula is not necessarily 
true if tp is false. In Section 13.11 we provide a kb program that uses counterfactuals which solves the 
global function computation problem whenever possible, while considerably reducing communication 
overhead. 

As a reality check, for the special case of leader election in networks with distinct ids, we show in 
Section [5] that the kb program is essentially implemented by the protocols of Lann, Chang and Roberts 
BLe Lann 19771 [Ch ang and Ro berts 1979] , and Peterson [1982], which all work in rings (under slightly 



different assumptions), and by the optimal flooding protocol [Lynch 1997[ in networks of bounded 
diameter. Thus, the kb program with counterfactuals shows the underlying commonality of all these 
programs and captures the key intuition behind their design. 

The rest of this paper is organized as follows. In Section [2 we give our characterization of when 
global function computation is possible. In Section [3] we describe the kb program for global function 
computation, and show how to optimize it so as to minimize messages. In Section [5J we show that the 
program essentially implements some standard solutions to leader election in a ring. We remark that 
to define kb programs with counterfactuals requires a lot of technical machinery, which can sometimes 
obscure the essential simplicity of the ideas. Thus, we defer the detailed formal definitions and the 
proofs of results to the appendix, giving only the essential ideas in the main part of the paper. 



2 Characterizing when global function computation is solvable 

We model a network as a directed, simple (no self-loops), connected, finite graph, where both nodes and 
edges are labeled. Each node represents an agent; its label is the agent's input, possibly together with 
the agent's name (identifier). Edges represent communication links; edge labels usually denote the cost 
of message transmission along links. Communication is reliable, meaning that every message sent is 
eventually delivered and no messages are duplicated or corrupted. 

We assume that initially agents know their local information, i.e., their own input value, the number 
of outgoing links, and the weights associated with these links. However, agents do not necessarily know 
the weights on non-local edges, or any topological characteristics of the network, such as size, upper 
bound on the diameter, or the underlying graph. Additionally, agents may not know the identity of the 
agents they can directly communicate with, or if they share their names with other agents. In order to 
uniquely identify agents in a network N of size n, we label agents with "external names" 1, . . ., n. 
Agents do not necessarily know these external names; we use them for our convenience when reasoning 
about the system. In particular, we assume that the global function / does not depend on these external 
names; f(N) = f(N') for any two networks ./V and N' that differ only in the way that nodes are labeled. 

Throughout the paper we use the following notation: We write V(N) for the set of agents in N and 
E(N) for the set of edges. For each i G V(N), let OirfTv(i) be the set of i's neighbors on outgoing links, 
so that Outjf(i) = {j G V(N) \ G E(N)}; let In^ii) be the set of i's neighbors on incoming 
links, so that JriAr(i) = {j G V(N) | (j, i) G E{N))}\ let mjv(i) denote i's input value. Finally, if e is 
an edge in E(N), let Wiv(e) denote e's label. 

We want to understand, for a given network N and global function /, when it is possible for agents to 
eventually know f(N). This depends on what agents know about N. As mentioned in the introduction, 
the general (and unstated) assumption in the literature is that, besides their local information, whatever 
agents know initially about the network is common knowledge. We start our analysis by making the 
same assumption, and characterize the initial common knowledge as a set M of networks. 
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In this section, we assume that agents are following a full-information protocol. We think of the 
protocol as proceeding in rounds: in each round agents send to all neighbors messages describing all 
the information they have; messages are stamped with the round number; round k for agent i starts after 
he has received all round k — 1 messages from his neighbors (since message delivery is reliable, this is 
guaranteed to happen). The round-based version of the full-information protocol makes sense both in 
synchronous and asynchronous settings, and for any assumptions about the order in which messages are 
delivered. 

Intuitively, the full-information protocol reduces uncertainty. For example, suppose that M consists 
of all unidirectional 3-node rings, and let iV be a three node ring in which agents have inputs a, b, 
and c, and all edges have the same weight w. Let i be the external name of the agent with input a. 
Initially, i considers possible all 3-nodes rings in which the weight on his outgoing edge is w and his 
input is a. After the first round, i learns from his incoming neighbor, who has external name j, that 
fs incoming edge also has weight w, and that j has input c. Agent j learns in the first round that his 
incoming neighbor has input b and that his incoming edge also has weight w. Agent j communicates 
this information to i in round 2. At the end of round 2, i knows everything about the network N, as do 
the other two agents. Moreover, he knows exactly what the network is. But this depends on the fact that 
i knows that the ring has size 3. 






Round 



Round 1 



Round 2 



Figure 1: How i's information changes with the full-information protocol. 

Now consider the same network N, but suppose that agents do not know the ring size, i.e., M is 
the set of all unidirectional rings, of all possible sizes and for all input and weight distributions. Again, 
at the end of round 2, agent i has all the information that he could possibly get, as do the other two 
agents. However, at no point are agents able to distinguish the network N from a 6-node ring N' in 
which agents look just like the agents on the 3-node ring (see Figure 13. Consider the pair of agents i 
in N and i' in N'. It is easy to check that these agents get exactly the same messages in every round of 
the full-information protocol. Thus, they have no way of distinguishing which is the true situation. If 
the function / has different values on N and N', then the agents cannot compute f(N). On the other 
hand, if J\f consists only of networks where inputs are distinct, then i realizes at the end of round 2 that 
he must be k's neighbor, and then he knows the network configuration. 

We want to characterize when agent i in network N thinks he could be agent i' in network N'. 
Intuitively, at round k, i thinks it possible that he could be i' if there is a bijection fx that maps i's 
incoming neighbors to i"s incoming neighbors such that, at the previous round k — 1, each incoming 
neighbor j of i thought that he could be 

Definition 2.1 Given networks N and N' and agents i G V(N) and i' G V(N'), i and i' wee Q-bisimilar, 
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Figure 2: Two indistinguishable networks. 

written (N,i) ~ (N',i'),iB 

• mjv(«) = wjv(i'); 

• there is a bijection / ou * : Out^{i) — ► Out^i(i') that preserves edge-labels; that is, for all 

j € Out N {i), we have w N (i,j) = w N ,(i', f out {j)). 

For k > 0,i and i' are k-bisimilar, written (iV, i) ~^ (N', i'), iff 

• ~ (JV', i'), and 

• there is a bijection f m : /njv(i) — ► InN'(i') sucn tnat f° r e InN(i) 

- w N {j,i) = w N >(f m (j),i'), 

- the (j, i) edge is bidirectional iff the (f m (j), i') edge is bidirectional, and 

- (iV,j) ~ fe _! (N',f™(j)). 

Note that ~& is an equivalence relation on the set of pairs (iV, i) with i € V(JV), and that ~fc+i is a 
refinement of 

The following lemma relates bisimilarity and the full-information protocol: 
Lemma 2.2: The following are equivalent: 

(a) (N,i) ~ fe (iV',0- 

(7?) Agents i € V(iV) and i' G V(JV') Ziave the same initial local information and receive the same 
messages in each of the first k rounds of the full-information protocol. 

(c) If the system is synchronous, then i and i' have the same initial local information and receive the 
same messages in each of the first k rounds of every deterministic protocol. 

Proof: We first prove that (a) implies (c). Let P be an arbitrary deterministic protocol. The proof 
proceeds by induction, with the base case following from the definition of ~o- Suppose that, if (N, i) ~ k 
(N', i'), then i and i' start with the same local information and receive same information in each of the 
first k rounds of protocol P and that (N,i) ^k+i {N',i'). Then (N, i) ~& (N',i'), and there exists 
a bijection f m : In^ii) — ► In^^i) such that (N,j) ~& (N' , f m (j)) for all j € In^(i). From 
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the inductive hypothesis, it follows that i and i' have the same initial information and receive the same 
messages in the first k rounds of P; similarly, for each j incoming neighbor of i, j and f m (j) have same 
initial information and receive same messages in each of the first k rounds of P. Hence, j and f m (j) 
have the same local state at time k and, since P is deterministic, j sends i the same messages as f m (j) 
sends to i'. Thus, i and i' receive same messages in round k + 1 of protocol P. 

To prove that (c) implies (b), it suffices to notice that the full-information protocol is a special case 
of a deterministic protocol and that, given how we have defined rounds in an asynchronous setting, i 
receives the same messages in round k of the full-information protocol in both the synchronous and 
asynchronous case. 

Finally, we prove that (b) implies (a) by induction on k. For k = 0, it is clear from Definition 12.11 
that (N, i) ~o (N', i') exactly when i and %' have the same initial local information. For the inductive 
step, suppose that i and i' have the same initial local information and receive the same messages at each 
round k' < k + 1. We can then construct a mapping, say f m , from In^{i) to Inwii') such that for all 
j G In^{i), the information that i receives from j is the same as the information that i' receives from 
f m (j) in each of the first k + 1 rounds. Since j is following a full-information protocol, it follows that 
j must have the same initial local information as j' and that j and j' receive the same messages in each 
of the first k rounds. By the induction hypothesis, (N,j) ~^ (N', f m (J))- Since part of i's information 
from j is also the weight of edge (j, i), f m must preserve edge-weights. Thus, (N, i) ^k+i (N', i'). I 

Intuitively, if the function / can be computed on N, then it can be computed using a full-information 
protocol. The value of / can be computed when / takes on the same value at all networks that the agents 
consider possible. The round at which this happens may depend on the network N, the function /, and 
what it is initially known. Moreover, if it does not happen, then / is not computable. Using Lemma I2T21 
we can characterize if and when it happens. 

Theorem 2.3: The global function f can be computed on networks in Af iff, for all networks N £ Af, 
there exists a constant fcjv",Ar,/» such that, for all networks N 1 £ Af, all i £ V(N), and all i' £ V(N'), 
if(N,i) ~ k ^ Nj (N',i f ) then f(N') = f(N). 

Proof: First suppose that the condition in the statement of the theorem holds. At the beginning of each 
round k, each agent i in the network proceeds as follows. If i received the value of / in the previous 
round, then i forwards the value to all of its neighbors and terminates; otherwise, i computes /'s value 
on all the networks N' such that there exists an i' such that agent i' would have received the same 
messages in the first k — 1 rounds in network N' as i actually received. (By Lemma l2T2l these are just 
the pairs (N 1 , i') such that (N', i') ~fe_i (N, i).) If all the values are equal, then i sends the value to 
all his neighbors and terminates; otherwise, i sends whatever new information he has received about the 
network to all his neighbors. 

Let ki be the first round with the property that for all N' G Af and i' in N', if (N, i) ~fc^ (N 1 , i'), 
then f(N') = f(N). (By assumption, such a fc, exists and it is at most fc^JV,/-) It i s eas Y t0 see 
that, by round ki, i learns the value of f(N), since either i gets the same messages that it gets in the 
full-information protocol up to round ki or it gets the function value. Thus, i terminates by the end of 
round ki + 1 at the latest, after sending the value of /, and the protocol terminates in at most feyv",iV,/ + 1 
rounds. Clearly all agents learn f(N) according to this protocol. 

Now suppose that the condition in the theorem does not hold and, by way of contradiction, that 
the value of / can be computed by some protocol P on all the networks in Af. There must exist some 
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network N for which the condition in the theorem fails. Consider a run where all messages are delivered 
synchronously. There must be some round k such that all agents in N have computed the function value 
by round k. Since the condition fails, there must exist a network N' G N and agents % G V(N) and 
i' G V(N') such that (N,i) (N',i') and f(N) ^ f(N'). By LemmaO i and i' have the same 
initial information and receive the same messages in the first k rounds of protocol P. Thus, they must 
output the same value for the function at round k. But since f(N) ^ f{N'), one of these answers must 
be wrong, contradicting our assumption that P computes the value of / in all networks in M. I 

Intuitively, £vv,tv,/ is a round at which each agent i knows that / takes on the same value at all the 
networks i considers possible at that round. Since we are implicitly assuming that agents do not forget, 
the set of networks that agent i considers possible never grows. Thus, if the function / takes on the same 
value at all the networks that agent i considers possible at round k, then / will take on the same value at 
all networks that i considers possible at round k' > k, so every agent knows the value of f(N) in round 
kM,Nj- In some cases, we can provide a useful upper bound on kj^f^j- For example, if N consists 
only of networks with distinct identifiers, or, more generally, of networks in which no two agents are 
locally the same, i.e., (N, i) 9^0 (N,j) for all i ^ j, then we can take fc^jy,/ = diam(N) + 1, where 
diam(N) is the diameter of JV. 

Theorem 2.4 If initially it is common knowledge that no two agents are locally the same, then all global 
functions can be computed; indeed, we can take kj^^j = diam(N) + 1. 

Proof: Since f(N) = f(N') if N and N' are isomorphic, it suffices to show that (N,i) ^diam(N)+i 
(N',i r ) implies that N and N' are isomorphic for all JV, JV' G M. First observe that, by an easy 
induction on k, if there is a path of length k < diam(N) from i to j in JV, then there must exist a 
node j' G V(N') such that there is a path from i' to j' of length k and (N,j) r ^diam(N)+i-k 
Moreover, note that j' must be unique, since if (N,j) ~ diam(N)+l-k then j, j', and j" must 

be locally the same and, by assumption, no distinct agents in N' are locally the same. Define a map h 
from N to N' by taking h(j) = j'. This map is 1-1, since if h(J\) = h{]2), then j\ and 22 must be 
locally the same, and hence identical. 

Let N" be the subgraph of N' consisting of all nodes of distance at most diam(N) from i'. An 
identical argument shows that there is a 1-1 map h! from N" to N such that j' and h'(j') are locally 
the same for all j' G V(N"). The function h! is the inverse of h, since h(h'(j')) and j' are locally the 
same, and hence identical, for all f G V(N). Finally, we must have that h is a graph isomorphism from 
N to N", since the fact j and h(j) are locally the same guarantee that they have the same labels, and if 
(j'l, j 2 ) G E(N), then (h(j), h(j')) G E{N") and the two edges have the same label. 

It remains to show that N' = N" . Suppose not. Then there is a node j\ G V(N') of distance 
diam(N) + 1 from i! . Let j% G V(N) be such that j\ is an outgoing neighbor of ji and the distance 
from i' to j% is diam(N). By construction, j 2 G V(N"); by our previous argument, there is a node 
jz G V(N) such that (JV, js) ~i (N f , jz). Since j 2 and j'3 are locally the same, they must have the same 
number of outgoing links, say m. That means that there are m nodes in N that have j% as an incoming 
neighbor, say ii, . . . , i m . Thus, each of h(i\), . . . , h{i m ), all of which are in JV", must have j'3 as an 
incoming neighbor. But j'3 has only m outgoing edges, and one of them goes to j 2 , which is not in N" . 
This is a contradiction. | 

Attiya, Snir, and Warmufh [1988] prove an analogue of Lemma I2T21 in their setting (where all net- 
works are rings) and use it to prove a number of impossibility results. In our language, these impossi- 
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bility results all show that there does not exist a k such that (N, i) ~t (N f , i') implies f(N) = f(N') 
for the functions / of interest, and thus are instances of Theorem 12. 3 rl 

Yamashita and Kameda characterize when global functions can be computed in undirected networks 
(which have no weights associated with the edges), assuming that an upper bound on the size of the 
network is known. They define a notion of view and show that two agents have the same information 
whenever their views are similar in a precise technical sense; f(N) is computable iff for all networks 
N' such that agents in N and N' have similar views, f(N') = f(N). Their notion of similarity is 
essentially our notion of bisimilarity restricted to undirected networks with no edge labels. Thus, their 
result is a special case of Theorem [23] for the case that M consists of undirected networks with no edge 
labels of size at most n* for some fixed constant n*; they show that fcyv.iV,/ can be taken to be n* in that 
case. Not only does our result generalize theirs, but our characterization is arguably much cleaner. 

Theorem 12.41 sheds light on why the well-known protocol for minimum spanning tree construction 
proposed by Gallager, Humblet, and Spira [ 1983 ] can deal both with systems with distinct ids (provided 
that there is a commonly-known ordering on ids) and for networks with identical ids but distinct edge- 
weights. These are just instances of situations where it is common knowledge that no two agents are 
locally the same. 



3 A standard program for global function computation 
3.1 Standard programs with shared names 

A standard program Pg has the form 

if t\ then acti 
if ti then act 2 

where the tjS are standard tests (possibly involving temporal operators such as 0), and the actjS are 
actions. The intended interpretation is that agent i runs this program forever. At each point in time, i 
nondeterministically executes one of the actions actj such that the test tj is satisfied; if no such action 
exists, i does nothing. We sometime use obvious abbreviations like if . . . then . . . else. 

Following Grove and Halpern MGrove 1995[ Grove and Halpern~1993[ (GH from now on), we dis- 



tinguish between agents and their names. We assume that programs mention only names, not agents 
(since in general the programmer will have access only to the names, which can be viewed as denoting 
roles). We use N to denote the set of all possible names and assume that one of the names is I. In 
the semantics, we associate with each name the agent who has that name. We assume that each agent 
has a way of naming his neighbors, and gives each of his neighbors different names. However, two 
different agents may use the same name for different neighbors. For example, in a ring, each agent may 
name his neighbors L and R; in an arbitrary network, an agent whose outdegree is d may refer to his 
outgoing neighbors as 1, 2, d. We allow actions in a program to depend on names, so the meaning 
of an action may depend on which agent is running it. For example, in our program for global function 
computation, if i uses name n to refer to his neighbor j, we write i's action of sending message msg 
to j as send n (msg). Similarly, if A is a set of names, then we take sendA(msg) to be the action of 



2 We remark that Attiya, Snir, and Warmuth allow their global functions to depend on external names given to agents in the 
network. This essentially amounts to assuming that the agent's names are part of their input. 
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sending msg to each of the agents in A (and not sending anything to any other agents). Let Nbr de- 
note the neighbors of an agent, so that sender {msg) is the action of sending msg to all of an agent's 
neighbors. 

We assume that message delivery is handled by the channel (and is not under the control of the 
agents). In the program, we use a primitive proposition some -new -info that we interpret as true for 
agent i iff i has received some new information; in our setting, that means that i has learned about 
another agent in the network and his input, has learned the weight labeling some edges, or has learned 
that there are no further agents in the network. (Note that in the latter case, i can also compute the 
function value. For example, in doing leader election on a unidirectional ring, if i gets its id back after 
sending it around the network, then i knows that it has heard from all agents in the network, and can 
then compute which agent has the highest id.) Note that some-new Jnfo is a proposition whose truth is 
relative to an agent. As already pointed out by GH, once we work in a setting with relative names, then 
both propositions and names need to be interpreted relative to an agent; we make this more precise in 
the next section. In the program, the action send n (new_info) has the effect of i sending n whatever 
new information i learned. 

With this background, we can describe the program for global function computation, which we call 
Pg GC ; each agent runs the program 

if some-new -info then send^hvinew -info); receive, 

where the receive action updates the agent's state by receiving any messages that are waiting to be 
delivered. As written, Pg GC does not terminate; however, we can easily modify it so that it terminates 
if agents learn the function value. (They will send at most one message after learning the function 
value.) 

We would like to prove that Pg GC solves the global function computation problem. To do this, we 
need to give precise semantics to programs; that is the subject of the next section. 

3.2 Protocols, systems, and contexts 

We interpret programs in the runs and systems framework of Fagin et al. [1995 ], adapted to allow for 
names. We start with a possibly infinite set A of agents. At each point in time, only finitely many agents 
are present. Each of these agents i is in some local state ij. The global state of the system at a particular 
point is a tuple s consisting of the local states of the agents that exist at that point. Besides the agents, it 
is also convenient to assume that there is an environment state, which keeps track of everything relevant 
to the system not included in the agents' states. In our setting, the environment state simply describes 
the network. 

A run is a function from time (which we take here to range over the natural numbers) to global 
states. Intuitively, a run describes the evolution of the system over time. With each run, we associate the 
set of agents that exist in that run. For simplicity, we assume that the set of agents is constant over the 
run; that is, we are not allowing agents to enter the system or leave the system. However, different sets 
of agent may be associated with different runs. (While this is appropriate in our setting, it is clearly not 
appropriate in general. We can easily extend the framework presented here to allow agents to enter or 
leave the system.) Let A(r) denote the agents present in run r. A pair (r, m) consisting of a run r and 
time m is called a point. If i € A(r), we use rj(m) to denote agent i's local state at the point (r, m). A 
system 1Z consists of a set of runs. 
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In a system for global function computation, each agent's initial local information is encoded in 
the agent's local state; it must be consistent with the environment. For example, if according to the 
environment the network is a bidirectional ring, each agent must have two outgoing edges according to 
its local state. We assume that agents have perfect recall, so that they keep track in their local states of 
everything that they have heard and when they heard it. This means that, in particular, the local state of 
an agent encodes whether the agent has obtained new information about the network in a given round k. 

We are particularly interested in systems generated by protocols. A protocol Pi for agent i is a func- 
tion from i's local states to nonempty sets of actions that i may perform. If the protocol is deterministic, 
then Pi(£) is a singleton for each local state I. A joint protocol is a tuple P = {Pi : i € A}, which 
consists of one protocol for each agent. 

We can associate with each joint protocol P a system, given a context. A context describes the 
environment's protocol, the initial states, the effect of actions, and the association of names with agents. 
Since names are relative to agents, we do the association using a naming function ,u:5x^xN^i, 
where Q is the set of global states. Intuitively, p(g, i, n) = j if agent i assigns name n to agent j at 
the global state g. Thus, we take a context 7 to be a tuple (P e , Qo,t, p), where P e is a protocol for the 
environment, Qq is a set of initial global states, r is a transition function, and p, is a naming functionJl 
The environment is viewed as running a protocol just like the agents; its protocol is used to capture, 
for example, when messages are delivered in an asynchronous system. The transition function r and 
naming function p determine a mapping denoted r M associating with each joint action (a tuple consisting 
of an action for the environment and one for each of the agents) a global state transformer, that is, a 
mapping from global states to global states. Note that we need the naming function since actions may 
involve names. For the simple programs considered in this paper, the transition function will be almost 
immediate from the description of the global states. 

We focus in this paper on a family of contexts that we call contexts for global function computation. 
Intuitively, the systems that represent programs in a context for global function computation are systems 
for global function computation. A context j GC = (P e , Go,t, p) for global function computation has 
the following features: 

• The environment's protocol P e controls message delivery and is such that all messages are even- 
tually delivered, and no messages are duplicated or corrupted. 

• The initial global states are such that the environment's state records the network N and agent i's 
local state records agent i's initial local information; we use N r to denote the network in a run r 
(as encoded by the initial global state in r). 

• The transition function r M is such that the agents keep track of all messages sent and delivered 
and the set of agents does not change over time. That is, if s is a global state, act is a joint action, 
and s' = r At (act)(s), then A{s) = A(s') and agent i's local state in s' is the result of appending 
all messages that i sent and received as a result of action act to i's local state in s. We assume that 
r M is such that the action send n (new-info) has the appropriate effect, i.e., if s end n (new -info) 
is agent i's component of a joint action act and agent i gives agent j name n in the global state s 
(note here we need the assumption that the naming function p depends only on the global state) 

3 Fagin et al. [ 1995 1 also have a component of the context that describes the set of "allowable" runs. This plays a role when 
considering issues like fairness, but does not play a role in this paper, so we omit it for simplicity. Since they do not consider 
names, they do not have a component fi in their contexts. 
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and s' = r M (act)(s), then in s', j's local state records the fact that j has received the information 
from i. 

In the following, we will denote the set of all networks encoded in the initial global states of a context 
7 GC for global function computation as J\f{^ GC ). 

A run r is consistent with a joint protocol P if it could have been generated when running P. 
Formally, run r is consistent with joint protocol P in context 7 if its initial global state r(0) is one of 
the initial global states Qq given in 7, and for all m, the transition from global state r(m) to r(m + 1) 
is the result of performing one of the joint actions specified by P according to the agents in r, and the 
environment protocol P e (given in 7) in the global state r(m). That is, if P = {Pi : i G A} and P e is 
the environment's protocol in context 7, then r(0) <G Go, and if r(m) = (£ e , {li : i G A(r)}), then there 
must be a joint action (act e , {actj : i G r(A)}) such that act e G P e (£e), actj G Pi(£i) for i G r(A), 
and r(m + 1) = r M (act e , {actj : i G r{A)}){r{m)) (so that r(m + 1) is the result of applying the joint 
action (act e , {actj : i G A}) to r(m). For future reference, we will say that a run r is consistent with 7 
if r is consistent with some joint protocol P in 7. A system 1Z represents a joint protocol P in a context 
7 if it consists of all runs consistent with P in 7. We use R(P, 7) to denote the system representing P 
in context 7. 

We want to associate with a program a protocol. To do this, we need to interpret the tests in the 
program. In doing so, we need to consider the fact that tests in the programs we consider here may 
contain names. This is the case for example of leader election programs in a ring network, where 
an agent may send a message only if his identifier is larger than his left neightbor's. We can write 
this as id 1 > id^, and clearly this test holds for the agent with maximum id, but does not hold for 
the agent with minimum id. This is why we need to interpret the tests in a program relative to an 
agent and with respect to a naming function /i that resolves names relative to the agent. Given a set 
of primitive propositions, let an interpretation it be a mapping that associates with each naming 
function fi a function 7r M : Q x A x <E> — > {true, false}. Intuitively, TT^(g, i,p) = true if p is true at the 
global state g relative to agent i. Furthermore, we need to ensure that the interpretation is consistent, 
in the sense that if idj > idi is interpreted as true in a global state g with respect to agent i, and z's 
left neighbor refers to i as his right neighbor, then idn > idj is taken as true in same global state, 
this time when interpreted relative to i's left neighbor. To formalize this, we take <£' to be the set of 
all propositions in $ with relative names replaced by "external names" 1, . . ., n, and take functions 
7r' : Q x <J>' — > {true, false} to be objective interpretation functions. We say that 7r M is consistent 
if there exists an objective interpretation ir' such that, for all global states g, agents i and tests p in 
<!>, ir^(g,i,p) = true if and only if ir'(g,p') = true, where p' is just like p, except that all names n 
are replaced by the external name fj,(g,i,n). In the following, we will focus only on contexts 7 and 
interpretations ir such that 7r M (for \x the naming function in 7) is consistent. Of course, we can extend 
7r M to arbitrary prepositional formulas, in the standard way; for example, we take n^(g, i, -^<p) = true 
iff TT^(g, i, if) = false, ir^(g, i, <p A -0) = true iff n^g, i, (p) = true and ir^g, i, ip) = true, etc. 

An interpretation is local (for program Pg and in context 7) if the tests (p in Pg depend only on the 
local state, in the sense that if i is agent i's local state in the global state g and also agent j's local state in 
the global state g' , then 7r M (g, i, if) = true iff n^g' , j, tp) = true. In this case, we write ir^l, ip) = true. 
Given an interpretation it that is local, we can associate with a program Pg for agent i a protocol Pg Wfi . 
We define Pg^^ (£) = {act,- | ir^(£, tj) = true} if there exist tests tj such that 7r M (£, tj) = true, and take 
Pg^ 11 ^) = skip otherwise. Define I(Pg, 7, tt) = H(Pg 7T > 1 , 7), for [i the naming function in context 7. 

An interpreted context for global function computation is a pair (7, tt), where 7 is a context for 
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global function computation and interprets some-new -info appropriately (so that 7r M (g, i, some-new - 
= true if i received some new information about the network in g and has not sent a message since re- 
ceiving that information). 

For the purpose of global function computation, we often talk about agents knowing a fact about the 
network, some piece of information, or the function value, and how this knowledge changes during a 
run of a protocol like (P# ) M . Intuitively, this says that, regradless of the agent's uncertainity about 
the network, and in general about the global state he is in, tp holds, i's uncertainity about the global 
world comes from two sources: i's uncertainty about the local states of other agents, and i's uncertainity 
about his own identity and the identities of the other agents he can refer to by certain names. More 
precesily, when in some local state £ = rj(m), i cannot distinguish between the global world r(m) and 
any global world r'(m') such that there exists an agent i' with same local state as i, i.e., r^(m') = £. In 
the following, we will a tuple (r, m, i) a situation, and we will say that situations (r, m, i) and (r', m' , i') 
are indistinguishable to agent i if i thinks possible he is i! in r'(m'), i.e., rj(m) = r^(m'). We define 
an extended interpreted system to be a tuple X = (1Z, it, p), where 1Z is a system, it is an interpretation, 
and fi is a naming function. We say that fact tp holds at situation (r, m, i) and with respect to interpreted 
system X, denoted as (I, r, m, i) \= tp, precisely when 7r^(r(m), i, tp) = true. We can now formalize 
the fact that i knows tp at point (r, m) as the condition that tp holds at all situations intistinguishable to 
i from (r, m, i), i.e., (2, r', m', i') \= tp for all situations (r', m', i') in 2 with r^(m') = rj(m). 

Program Pg solves the global function computation problem for function / in the interpreted context 
(7 , 7r) if and only if, in all runs r of l(Pg, J GC , vr), eventually all agents in A(r) know the value 
f(N r ). That is, for all such runs r, there exists a time m such that, for all agents i in A(r), f takes the 
same value f(N r ) on all networks i thinks possible when in local state rj(m), i.e., on all networks in 
runs r' such that there exists a time m' and an agent i! with r^(m') = rj(m). 

3.3 Proving the correctness of Pg 

Theorem 3.1: If f and J\f(j GG ) satisfy the condition in Theorem \2.3\ then Pg GC solves the global 
function computation problem for f in all interpreted contexts {^f GC ' , ir) for global function computation. 

Proof: Let / be a global function and let (7 , vr) be an interpreted system for global function com- 
putation such that / and J\f(j GG ) satisfy the condition in Theorem 12.31 Let r be a run in the system 
I(Pg GC , 7 GC ,ir). 

We first show that at some point in r, some agent knows f(N r ). Suppose not. Let r' be the unique 
run of the full-information protocol starting with the same initial global state as r. We show by induction 
on k that there is a time mp. such that, at time (r, m^), all the agents in A(r) have at least as much 
information about the network as they do at the beginning of round k in r' . That is, for all agents i in 
A(r), the set of networks i considers possible at time in r (i.e., the set of all networks N r " for r" run 
in I(Pg GG , 7 , 7r) such that there exists a situation (r" ,m" with r",,(m") = riimk)) is a subset 
of the set of networks % considers possible at the beginning of round k in r' (i.e., if m' k is the time in r' 
when round k begins, the set of networks 2V r « for r" run of the full-information protocol such that there 
exists a situation (r", m" , i") with r"„(rn") = r^(m' fc )). 

The base case is immediate: we can take mi = since, by assumption, agents in r and r' start with 
the same initial states. For the inductive step, suppose that i learns some new information from j in 
round k of r'. That means j knew this information at the beginning of round k in r' so, by the induction 
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hypothesis, j must have known this information by time rrik in r. Thus, there is a time ml < mk 
such that j first learns this information in run r (where we take m' k = if k = 1). It follows from 
the semantics of Pg GC that j sends this information to i at time m' k in r. Since we have assumed that 
communication is reliable, i learns it by some time m" k . Since i has only finitely many neighbors and 
there are only finitely many pieces of information about the network, there must be a time in r by which 
i learns all the information that it learns by the beginning of round k + 1 in r'. And since there are only 
finitely many agents in A(r), there must be a time m^+i by which all the agents in A(r) learn all the 
information about the network that they know at the beginning of round k + 1 in r'. 

By Theorem 12.31 there exists a round kj^^Gc^ Nr j such that, running the full-information protocol, 
for all networks N' G N{j GC ), all i' G V(N'), and all i G V(N r ), we have that f(N r ) = f(N') if 
(N r , i) ~fc A/ . ( GC) N f {N' } i'). Suppose that i is an agent in N r , r' is a run in I(Pg GC , 7 , vr), and i' 
is an agent in N r < such that rj(m^ GC N f ) = r ? ',(m'). A straightforward argument now shows that 
(N r ,i) GC) N / (N r i,i f ). (Formally, we show by induction on k with a subinduction on k' that if 

& < kj\fryGC\ Nr j, k! < k, and j is an agent at distance k' from i in N r , then there exists an agent j' 
of distance /c' from i' in iV r / such that (N r , i) ~k-k' {N r i,i'), and similarly switching the roles of i, i', 
N r , and N r >.) It follows that i knows f(N r ) by time mk^, ac N f ^ n r > contradicting the assumption 
that no agent learns f(N r ). 

Suppose that i is the first agent to learn the function value in r, and does so at time m (or one of 
the first, if there are several agents that learn the function value at time m). We can now use the same 
argument as above to show that eventually all agents learn the function value. A formal proof proceeds 
by induction on the distance of agent j from iin N r ; we omit details here. | 

4 Improving message overhead 

While sending only the new information that an agent learns at each step reduces the size of messages, it 
does not preclude sending unnecessary messages. One way of reducing communication is to have agent 
i not send information to the agent he names n if he knows that n already knows the information. Since 
agent i is acting based on what he knows, this is a knowledge-based (kb) program. We now formalize 
this notion. 

4.1 Knowledge-based programs with shared names 

Consider a language with a modal operator K n for each name n G N. When interpreted relative to 
agent i, K n (p is read as "the agent i names n knows tp". A knowledge-based program Pg^ has the form 

if t\ A k\ do acti 
if £2 A &2 do act2 

where tj and actj are as for standard programs, and kj are knowledge tests (possibly involving belief 
and counterf actual tests, as we will see later in the section). 

Let cont (new -info) be a primitive proposition that characterizes the content of the message new -info. 
For example, suppose that N is a unidirectional ring, and new -info says that i's left neighbor has input 
value v\. Then cont (new -info) is true at all points where i's left neighbor has input value v\. (Note 
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that cont (new -info) is a proposition whose truth is relative to an agent.) Thus, it seems that the follow- 
ing kb program should solve the global function computation problem, while decreasing the number of 
messages: 

if some -new -info then 

for each nonempty subset A of agents do (1) 
if A = {n 6 Nbr : ^KjK n (cont(new-info))} then s end ^(new -info); receive. 

There are, however, some subtleties involved giving semantics to this program; we consider these in the 
next section. In the process, we will see that there are number of ways that the message complexity of 
the program can be further improved. 

4.2 Semantics of kb programs with shared names 

We can use the machinery that we have developed to give semantics to formulas such as K n ip. The 
statement K n ip holds with respect to a situation (r, m, i) and an interpreted system 2 precisely when 
the agent j = fj,(r(rn),i,n) i names n knows <p> when in local state rj(m), i.e., when <p> holds in all 
situations (r', m',j') in 2 agent j cannot distinguish from (r, m, j). We can then define 

(2, r, m, i) \= K n ip iff, for all j, j' and points (r', m') such that [i(r(m),i, n) = j 
and rj(m) = r'-,(m'), we have (2, r', m',j') \= (p. 

As observed by GH, once we allow relative names, we must be careful about scoping. For example, 
suppose that, in an oriented ring, i's left neighbor is j and j's left neighbor is k. What does a formula 
such as KjKl (left -input = 3) mean when it is interpreted relative to agent i? Does it mean that i 
knows that j knows that fc's input is 3, or does it mean that i knows that j knows that j's input is 3? 
That is, do we interpret the "left" in left-input relative to i or relative to i's left neighbor p. Similarly, 
to which agent does the second L in KiK^K^^p refer? That, of course, depends on the application. 
Using a first-order logic of naming, as in HGrove 19951 , allows us to distinguish the two interpretations 
readily. In a propositional logic, we cannot do this. In the propositional logic, GH assumed innermost 
scoping, so that the left in left-input and the second L in KjK^K^Lp are interpreted relative to the 
"current" agent considered when they are evaluated (which is j). For the purpose of this paper, in 
a formula such as KiK n cont (new -info), we want to interpret cont (new -info) relative to "I", the 
agent i that sends the message, not with respect to the agent j that is the interpretation of n. To capture 
this, we add limited quantification over names to the language. In particular, we allow formulas of the 
form 3n' (Calls (n, I, n') A iv~ n (n"s</?)), which is interpreted as "there exists a name n' such that the 
agent / names n gives name n' to the agent that currently has name / and n knows that ip interpreted 
relative to n' holds". Thus, to emphasize the scoping, instead of writing KjK n cont (new -info), we 
write K f (3n' (Calls (n, /, n') A K n (n"scont(new-info)))). 

We can now give semantics to kb programs. We can associate with a kb program Pg fcfe and an 
extended interpreted system 2 = (1Z,tt,[i) a protocol for agent i denoted (Pgfcfjf. Intuitively, we 
evaluate the standard tests in Pg fcfe according to it and \i and evaluate the knowledge tests according to 
2. Formally, for each local state I of agent i, we define (Pg/^f (I) to consist of all actions act, such 
that the test tj A kj holds with respect to a tuple (r, m, i')'m2 such that 7y (m) = I (recall that protocols 
can be nondeterministic); if there is no point in 2 where some agent has local state I, then (Pgkb)I(^) 
performs the null action (which leaves the state unchanged). 
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A joint protocol P is said to implement Pg^ in inteipreted context (7, ir) if, by inteipreting Pg fc{) 
with respect to I(P, 7, it), we get back protocol P; i.e., if, for each agent i, we have P{ = (Pgkb)^ <yP ' n,lv \ 
Here we seem to be implicitly assuming that all agents run the same kb program. This is certainly true 
for the programs we give for global function computation, and actually does not result in any loss of 
generality. For example, if names are commonly known, the actions performed by agents can depend 
on tests of the form "if your name is n then . . . ". Similarly, if we have a system where some agents are 
senders and others are receivers, the roles of agents can be encoded in their local states, and tests in the 
program can ensure that all agents act appropriately, despite using the same program. 

In certain cases we are interested in joint protocols P that satisfy a condition slightly weaker than 
implementation, first defined by Halpern and Moses [2004] (HM from now on). Joint protocols P and 
P' are equivalent in context 7, denoted P ?» 7 P' , if Pi(£) = P((£) for every local state i = rj(m) with 
r G R(-P, 7). We remark that if P « 7 P', then it easily follows that R(-P, 7) = R(-P', 7): we simply 
show by induction on m that every prefix of a run in R(P, 7) is a prefix of a run in R(P', 7), and vice 

versa. P de facto implements Pg^ in context 7 if P « 7 Pg^ P ' 7,7r ' ) . Arguably, de facto implementation 
suffices for most purposes, since all we care about are the runs generated by the protocol. We do not 
care about the behavior of the protocol on local states that never arise when we run the protocol. 

The kb program Pg^ solves the global function computation problem for / in the interpreted con- 
text (-y GG ,ir) if, for all protocols P that de facto implement Pg^ in j GC and all runs r in 7£(P, 7), 
eventually all agents in A(r) know the value f(N r ). 

We can now show that the kb program £T|) solves the global function computation problem for all 
functions / and interpreted contexts (7 , it) for global function computation such that / and M(^ GC ) 
satisfy the condition in Theorem 12.3 1 Rather than proving this result, we focus on further improving the 
message complexity of the kb program, and give a formal analysis of correctness only for the improved 
program. 



4.3 Avoiding redundant communication with counterfactual tests 

We can further reduce message complexity by not sending information not only if the recipient of the 
message already knows the information, but also if he will eventually know the information. It seems 
relatively straightforward to capture this: we simply add a operator to the kb program {[]to get 

if some-new -info then 

for each nonempty subset A of agents do 

if A = {n € Nbr : -ii^/0(3n / (Ca//s(n, I, n') A K n (n"scont (new -info))))} 
then send A(new _info); receive. 

Unfortunately, this modification will not work: as observed by HM, once we add the operator, 
the resulting program has no implementation in the context 7 GC . For suppose there exists a protocol P 
that implements it, and let X = 2(P, j GG , n), that is, by interpreting the above program w.r.t. 1, we get 
back the protocol P. Does i (the agent represented by /) send new -info to n in Zl If i sends its new 
information to n at time m in a run r of T, then, as communication is reliable, eventually n will know 
z's new information and i knows that this is the case, i.e., (2,r,m,i) \= K j () (3n' (C alls (n, I, n') A 
K a {n'\cont{new-info)))). As P implements the above kb program and 1 = 1(P, 7 GC ', vr), it follows 
that i does not send its new information to n. On the other hand, if no one sends new-info to n, then 



16 



n will not know it, and i should send it. Roughly speaking, i should send the information iff i does not 
send the information. 

HM suggest the use of counterfactuals to deal with this problem. As we said in the introduction, 
a counterfactual has the form ip > tp, which is read as "if ip were the case then tp". As is standard in 
the philosophy literature (see, for example, BLewis 1973t Stalnake r 196811 ). to give semantics to coun- 
terfactual statements, we assume that there is a notion of closeness defined on situations. This allows 
us to consider the situations closest to a given situation that have certain properties. For example, if in 
a situation (r, m, i) agent i sends its new information to neighbor n, we would expect that the closest 
situations (r', m, i) to (r, m, i) where i does not send its new information to n are such that, in r', all 
agents use the same protocol in r' as in r, excpet that, at time m in r' , i sends its new information to all 
agents to which it sends its new information at the point (r, m) with the exception of n. The counter- 
factual formula ip > tp is taken to be true if, in the closest situations to the current situation where ip is 
true, tp is also true. 

Once we have counterfactuals, we must consider systems with runs that are not runs of the program. 
These are runs where, for example, counter to fact, the agent does not send a message (although the 
program says it should). Following HM, we can make these executions less likely relative to those 
generated by running the program by associating to each run a rank; the higher the rank, the less likely 
the run. We then require that the runs of the program be the only ones of minimal rank. Once we work 
with a system that includes runs other than those generated by the program, agents may no longer know 
that, for example, when the program says they should send a message to their neighbor, they actually 
do so (since there could be an run in the system not generated by the program, in which at some point 
the agent has the same local state as in a run of the program, but it does not send a message). Agents do 
know, however, that they send the message to their neighbor in all runs of minimal rank, that is, in all 
the runs consistent with the program. By associating a rank with each run, we can talk about formulas 
ip that hold at all situations in runs of minimal rank among those an agent i cannot distinguish from 
the current situation. If ip holds at all points in runs of minimal rank that i considers possible then we 
say that i believes ip (although i may not know ip. We write B n ip to denote that the agent named n 
believes ip, although this is perhaps better read as "the agent named n knows that ip is (almost certainly) 
true". We provide the formal semantics of belief and counterfactuals, which is somewhat technical, in 
Appendix lAl we hope that the intuitions we have provided will suffice for understanding what follows. 

Using counterfactuals, we can modify the program to say that agent i should send the information 
only if i does not believe "if I do not send the information, then n will eventually learn it anyway". To 
capture this, we use the proposition do(send n (new -info)) , which is true if i is about to send new-info 
to n. If there are only finitely many possible values of /, say v±, . . . , vp,, then the formula B n (f = 
v\) V . . . V B n (f = Vk) captures the fact that the agent with name n knows the value of /. However, in 
general, we want to allow an unbounded number of function values. For example, if agents have distinct 
numerical ids, we are trying to elect as leader the agent with the highest id, and there is no bound on 
the size of the network, then the set of possible values of / is unbounded. We deal with this problem by 
allowing limited quantification over values. In particular, we use formulas of the form 3vB n (f = v), 
which intuitively say that the agent with name n knows the value of /. Let Pg^p denote the following 
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modification of Pg 



if some -new -info then 

for each nonempty subset A of agents do 

if A = {n € Nbr : do {send n {new -info)) > 

0(3n' (Calls(n, I, ri) A B n {ri'scont{new_info))) V 3vB n {f = v))}} 
then send A(new -info); receive. 

In this program, the agent i representing / sends n the new information if i does not believe that n will 
eventually learn the new information or the function value in any case. As shown in Appendix |B] this 
improved program still solves the global function computation problem whenever possible. 

Theorem 4.1: If f and N{"j GC ) satisfy the condition in Theorem \2.3\ then Pg GG solves the global 
function computation problem for f in all interpreted contexts (7 , it) for global function computation. 

5 Case study: leader election 

In this section we focus on leader election. If we take the function / to describe a method for computing 
a leader, and require that all agents eventually know who is chosen as leader, this problem becomes 
an instance of global function computation. We assume that agents have distinct identifiers (which is 
the context in which leader election has been studied in the literature). It follows from Corollary 12.41 
that leader election is solvable in this context; the only question is what the complexity is. Although 
leader election is only one instance of the global function computation problem, it is of particular in- 
terest, since it has been studied so intensively in the literature. We show that a number of well-known 
protocols for leader election in the literature essentially implement the program Pg GG . In particular, we 
consider a protocol combining ideas of Lann 1119771 and Chang and Roberts 1119791 (LCR from now on) 
presented by Lynch [ 1997], which works in unidirectional rings, and Peterson's 1119821 protocol PI for 
unidirectional rings and P2 for bidirectional rings. We briefly sketch the LCR protocol and Peterson's 
protocols PI and P2, closely following Lynch's [1997] treatment. 

The LCR protocol works in unidirectional rings, and does not assume a bound on their size. Each 
agent starts by sending its id along the ring; whenever it receives a value, if the value is larger than the 
maximum value seen so far, then the agent forwards it; if not, it does nothing, except when it receives 
its own id. If this id is M, the agent then sends the message "the agent with id M is the leader" to 
its neighbor. Each agent who receives such a message forwards it until it reaches the agent with id M 
again. The LCR protocol is correct because it ensures that the maximum id travels along the ring and is 
forwarded by each agent until some agent receives its own id back. That agent then knows that its id is 
larger than that of any other agent, and thus becomes the leader. 

Peterson's protocol P2 for bidirectional rings operates in phases. In each phase, agents are desig- 
nated as either active or passive. Intuitively, the active agents are those still competing in the election. 
Once an agent becomes passive, it remains passive, but continues to forward messages. Initially all 
agents are active. In each phase, an active agent compares its id with the ids of the closest active agent 
to its right and the closest active agent to its left. If its id is the largest of the three, it continues to be 
active; otherwise, it becomes passive. Just as with the LCR protocol, when an agent receives back its 
own id, it declares itself leader. Then if its id is M, it sends the message "the agent with id M is the 
leader", which is forwarded around the ring until everyone knows who the leader is. 
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Peterson shows that, at each phase, the number of active agents is at most half that of the previous 
phase, and always includes the agent with the largest id. It follows that, eventually, the only active agent 
is the one with the largest id. Peterson's protocol terminates when the agent that has the maximum id 
discovers that it has the maximum id by receiving its own id back. The message complexity of Peterson's 
protocol is thus 0(n log n), where n is the number of agents. 

Peterson's protocol PI for unidirectional rings is similar. Again, passive agents forward all messages 
they receive, at each round at most half of the agents remain active, and the agent with the largest value 
becomes leader. There are, however, a number of differences. Agents now have "temporary" ids as 
well as their own ids. It is perhaps better to think of an agent's id as being active if it has an "active 
temporary id". (In the bidirectional case, we can identify the temporary id with the actual id, so an 
agent is active iff its id is active.) We take a temporary id to be active at phase p + 1 if it is larger 
than the temporary ids that precede or follow it in phase p. But since messages can only be sent in one 
direction, the way to discover this is for an active agent to forward its temporary id to the following two 
active agents. An active agent can then tell if the preceding active agent's temporary id was greater than 
the following and preceding active temporary id's. If so, it remains active, and takes as its temporary id 
what was the temporary id of the preceding active agent. Otherwise, the agent becomes passive. It is not 
hard to check that an agent is active in the bidirectional protocol iff its id is active in the unidirectional 
protocol (i.e., iff its id is the temporary id of an active agent in the unidirectional protocol). When an 
agent receives its original value, then it declares itself leader and sends a message describing the result 
of the election around the ring. 

We remark that although they all work for rings, the LCR protocol is quite different from PI and 
P2. In the LCR protocol, agents forward their values along their unique outgoing link. Eventually, the 
agent with the maximum input receives its own value and realizes that it has the maximum value. In PI 
and P2, agents are either active or passive; in each round, the number of active agents is reduced, and 
eventually only the agent with the maximum value remains active. 

Despite their differences, LCR, PI, and P2 all essentially implement Pg^p. There are two reasons 
we write "essentially" here. The first, rather trivial reason is that, when agents send information, they 
do not send all the information they learn (even if the agent they are sending it to will never learn this 
information). For example, in the LCR protocol, if agent i learns that its left neighbor has value v and 
this is the largest value that it has seen, it passes along v without passing along the fact that its left 
neighbor has this value. We can easily deal with this by modifying the protocols so that all the agents 
send newJnfo rather than whatever message they were supposed to send. However, this modification 
does not suffice. The reason is that the modified protocols send some "unnecessary" messages. This is 
easiest to see in the case of LCR. Suppose that j is the processor with highest id. When j receives the 
message with its id back and sends it around the ring again (this is essentially the message saying that j 
is the leader), in a full-information protocol, j's second message will include the id j' of the processor 
just before j. Thus, when j' receives j's second message, it will not need to forward it to j. If LCR' 
is the modification of LCR where each process sends newJnfo rather than the maximum id seen so 
far, and the last message in LCR is not sent, then we can show that LCR' indeed de facto implements 
Pg^p. The modifications to P2 that are needed to get a protocol P2' that de facto implements Pg^ 
are somewhat more complicated. Each processor i running P2' acts as it does in P2 (modulo sending 
new Anfo) until the point where it first gets a complete picture of who is in the ring (and hence who the 
leader is). What happens next depends on whether i is the first to find out who the leader is or not and 
whether i is active or not. We leave details to the Appendix ICl 
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Theorem 5.1: The following all hold: 



(a) Given parameter d, the optimal flooding protocol ^Lynch 1997 1 de facto implements Pg c j, in 



contexts where ( i) all networks have diameter at most d and ( ii) all agents have distinct identifiers. 

(b) LCR' de facto implements Pg^p in all contexts where (i) all networks are unidirectional rings 
and ( ii) agents have distinct identifiers. 

(c) There exists a protocol PI' that agrees with PI up to the last phase (except that it sends new_info) 
and implements Pg c6 in all contexts where ( i) all networks are unidirectional rings and ( ii) agents 
have distinct identifiers. 

( d) There exists a protocol P2' that agrees with P2 up to the last phase ( except that it sends new_info ) 
and de facto implements Pg c f, in all contexts where ( i) all networks are bidirectional rings and 
( ii) agents have distinct identifiers. 

Theorem |5.1| brings out the underlying commonality of all these protocols. Moreover, it emphasizes 
the connection between counterfactual reasoning and message optimality. Finally, it shows that reason- 
ing at the kb level can be a useful tool for improving the message complexity of protocols. For example, 
although P2' has the same order of magnitude message complexity as P2 (0(n log n)), it typically sends 
0(n) fewer messages. While this improvement comes at the price of possibly longer messages, it does 
suggest that this approach can result in nontrivial improvements. Moreover, it suggests that starting with 
a high-level kb program and then trying to implement it using a standard program can be a useful design 
methodology. Indeed, our hope is that we will be able to synthesize standard programs by starting with 
high-level kb specifications, synthesizing a kb program that satisfies the specification, and then instan- 
tiating the kb program as a standard program. We have some preliminary results along these lines that 



give us confidence in the general approach [Bickford, Constable, Halpern, and Petride 2005 1 ; we hope 



that further work will lend further credence to this approach. 



A Counterfactual belief-based programs with names 

The standard approach to giving semantics to counterfactuals ILewis 19731 [Stalnake r 19681 is that tp > 
ip is true at a point (r, m) if ip is true at all the points "closest to" or "most like" (r, m) where ip is true. 
For example, suppose that we have a wet match and we make a statement such as "if the match were 
dry then it would light". Using =^ this statement is trivially true, since the antecedent is false. However, 
with >, we must consider the worlds most like the actual world where the match is in fact dry and decide 
whether it would light in those worlds. If we think the match is defective for some reason, then even if 
it were dry, it would not light. 

To capture this intuition in the context of systems, we extend HM's approach so as to deal with 
names. We just briefly review the relevant details here; we encourage the reader to consult [Halpern an d Moses 2004[ 



for more details and intuition. Define an order assignment for an extended interpreted system X = 

(1Z, ir, p) to be a function < that associates with every situation (r, m, i) a partial order relation <u m ^ 

over situations. The partial orders must satisfy the constraint that (r, m, i) is a minimal element of <( r>mi j), 

so that there is no situation (r',m',i') such that (r',m',i') <i(r,m,i)( r i m i Intuitively, (ri, mi, h)<-(r,m,,i)( r 2, mi, i%) 

if (ri,mi,ii) is "closer" to the true situation (r, m, i) than (r2, jt^,^)- A counterfactual system is a 
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pair of the form J = (I, <), where 2 is an extended interpreted system and < is an order assignment 
for the situations in 2. 

Given a counterfactual system J = (2, <), a set A of situations, and a situation (r, to, i), we define 
the situations in A that are closest to (r, to, i), denoted closest(j4, r, to, i), by taking 

closest(A, r, to, i) = 

{(r', to', i') G ^4 : there is no situation (r", to", i") G yl 
such that (r", to", i")<(r,m,i)( r '> m '> *')}• 

A counterfactual formula is assigned meaning with respect to a counterfactual system J by inter- 
preting all formulas not involving > with respect to 2 using the earlier definitions, and defining 

(J } r,m,i) \= ip > if) iff for all (r', to', i') £ closest {\(p\ j ,r, to, i), (J, r', to', i') |= if), 

where \<p\j = {(r, to, i) : (J", r, to, i) |= (/?}; that is, \ip\j consists of all situations in J satisfying (p. 

All earlier analyses of (epistemic) properties of a protocol P in a context 7 used the runs in R(P, 7), 
that is, the runs consistent with P in context 7. However, counterfactual reasoning involves events that 
occur on runs that are not consistent with P (for example, we may need to counterfactually consider the 
run where a certain message is not sent, although P may say that it should be sent). To support such 
reasoning, we need to consider runs not in R(P, 7). The runs that must be added can, in general, depend 
on the type of counterfactual statements allowed in the logical language. Thus, for example, if we allow 
formulas of the form do(i, act) > ip for process i and action act, then we must allow, at every point of 



the system, a possible future in which i's next action is act. Following [Halpern and Moses 2004], we 
do reasoning with respect to the system 1Z + (7) consisting of all runs compatible with 7, that is, all runs 
consistent with some protocol P' in context 7. 

We want to define an order assignment in the system 1Z + (^) that ensures that the counterfactual 
tests in Pg^ , which have an antecedent ^do(send n (msg), get interpreted appropriately. HM de- 
fined a way of doing so for counterfactual tests whose antecedent has the form do(i, act). We modify 
their construction here. Given a context 7, situation (r, m,i) in lZ + ( , y), action act, and a determin- 
istic protocol P@ we define the closest set of situations to (r, m, i) where i does not perform action 
send n (msg), close(send n (msg), P, 7, r, to, i), as {(r',m, i') : (a) r' G TZ + {^), (b) r'(m') = r(m') 
for all to' < to, (c) if agent i performs some action sendA{msg') according to P in local state rj(m) 
and n ^ A or msg' 7^ msg, or if i does not perform action sendA{msg') for any set A of agents 
and message msg', then r' = r and i = i', (d) if agent i performs sendA{rnsg) according to P in 
local state rj(m) and n G A, then i performs send A-{n}( ms 9) i n local state ^(to) in run r', and fol- 
lows P in all other local states in run r', (e) all agents other than i' follow P at all points of r'}. That 
is, close(send n (msg), P, 7, r, to, i) is {r, m,i} if i does not send msg to n at the local state rj(m); 
otherwise close(send n (msg) , P, 7, r, to, i) is the set consisting of situations (r', to, i') such that r' is 
identical to r up to time to and all the agents act according to P at later times, except that at the local 
state r'j, (to) = r-j(m) in r', agent i' who is indistinguishable from i does not send msg to n, but does 
send it to all other agents to which it sent msg in rj(m). 

Define an order generator o to be a function that associates with every protocol P an order assign- 
ment < p = o(P) on the situations of 1Z + (7). We are interested in order generators that prefer runs in 



4 We restrict in this paper to deterministic protocols. We can generalize this definition to randomized protocols in a straight- 
forward way, but we do not need this generalization for the purposes of this paper. 
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which agents follow their protocols as closely as possible. An order generator o for 7 respects protocols 
if, for every (deterministic) protocol P, interpreted context Q = (7, it) for global computation, situation 
(r,m,i) in R(P, 7), and action act, closest(l-^send A(msg)}i^p t Q, r, m, i) is a nonempty subset of 
close(send n (msg) , P, 7, r, m, i) that includes (r, m, i) if (r, to, z) G close(sendA(msg), P, 7, r, m, i). 
Perhaps the most obvious order generator that respects protocols just sets closest (l-^send n (msg)}i^p^, 
r, m, i) = close( send n (msg), P, 7, r, m, i), although our results hold if = is replaced by C. 

Reasoning in terms of the large set of runs lZ + (^) as opposed to R(P, 7) leads to agents not knowing 
properties of P. For example, even if, according to P, some agent i always performs action act when 
in local state k, in 1Z + (j) there are bound to be runs r and times to such that rj(m) = Zj, but i does 
not perform action act at the point (r, to). Thus, when we evaluate knowledge with respect to 7£ + (7), 
i no longer knows that, according to P, he performs act in state l{. Following HM, we deal with 
this by adding extra information to the models that allows us to capture the agents' beliefs. Although 
the agents will not know they are running protocol P, they will believe that they are. We do this by 
associating with each run r G TZ + ('-f) a rank n(r), which is either a natural number or 00, such that 
min rg 7 ? +( 7 ) At(r) = 0. Intuitively, the rank of a run defines the likelihood of the run. Runs of rank are 
most likely; runs of rank 1 are somewhat less likely, those of rank 2 are even more unlikely, and so on. 
Very roughly speaking, if e > is small, we can think of the runs of rank k as having probability 0(e k ). 



We can use ranks to define a notion of belief (cf. | Friedman and Halpern 1997 1). 



Intuitively, of all the points considered possible by a given agent in a situation (r,m,i), the ones 
believed to have occurred are the ones appearing in runs of minimal rank. More formally, for a point 
(r, to) define 

m\nf(r, to) = mm{ft(r') | r' G TZ + ("f) and r-;(m') = rj(m) for some to' > and i' G A(r')}. 

Thus, minf (r, m) is the minimal ft-rank of runs r' in which rj(m) appears as a local state at the point 

(r\ m). 

A counterfactual belief system (or just cb system for short) is a triple of the form J = (I, <, k), 
where (X, <) is a counterfactual system, and k is a ranking function on the runs of X. In cb systems we 
can define a notion of belief. We add the modal operator B n to the language for each n G N, and define 

(X, <. k, r, m, i) \= B n ip iff, for all j, f and points (r', mf) such that fj,(r, m, i, n) = j, 

rj(m) = r'j,(m'), and n(r') = min|(r,m), we have (X,r',m',f) \= cp. 

The following lemma illustrates a key feature of the definition of belief. What distinguishes knowl- 
edge from belief is that knowledge satisfies the knowledge axiom: Knp =4> if is valid. While Bnp =>■ tp 
is not valid, it is true in runs of rank 0. 



Lemma A.l: [Halpern and Moses 2004] Suppose that J = (TZ, it, ji, <, k) is a cb system, r G 1Z, and 



ft(r) = 0. Then for every formula tp and all times m, we have (J , r, m, i) \= Bj(p <p. 

By analogy with order generators, we want a uniform way of associating with each protocol P a 
ranking function. Intuitively, we want to do this in a way that lets us recover P. We say that a ranking 
function k is P -compatible (for 7) if k(t) = if and only if r G R(P, 7). A ranking generator for a 
context 7 is a function a ascribing to every protocol P a ranking a(P) on the runs of 1Z + (7). A ranking 
generator a is deviation compatible if a(P) is P-compatible for every protocol P. An obvious example 
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of a deviation-compatible ranking generator is the characteristic ranking generator a^, where cr^(P) is 
the ranking that assigns rank to every run in H(P, 7) and rank 1 to all other runs. This captures the 
assumption that runs of P are likely and all other runs are unlikely, without attempting to distinguish 
among them. Another deviation-compatible ranking generator is a*, where cr*(P) is the ranking that 
assigns to a run r the total number of times that agents deviate from P in r. Obviously, a*(P) assigns r 
the rank exactly if r € R(-P, 7), as desired. Intuitively, a* captures the assumption that not only are 
deviations unlikely, but they are independent. 

It remains to give semantics to the formulas 3n' (Calls(n, I, n') A l? n (n"s(y2)) and 3vB n (f = v). 
Recall that we want 3n' (Calls (n, I, n') A £? n (n"s</?)) to be true at a situation (r, m, i) if there exists a 
name n' such that the agent j that agent i names n calls i n', and j knows that ip interpreted relative to 
n' (i.e., i) holds. More formally, 

(2, <, k, r, m, i) \= 3n' (Calls(n, I, n') A B n (n h sip)) iff, for all j,j' and points (r', m!) 
such that fi(r(m),i, n) = j, rj(m) = r'-,(m'), and n(r') = mirror, m), we have 
(2, r', m', i) \= ip. 

Note that the semantics for 3n' (Calls (n, /, n') A B n (n h s<p)) is almost the same as that for B n (p. The 
difference is that we evaluate ip at (r' , m') with respect to i (the interpretation of I at the situation 
(r, m, i)), not j'. We could give semantics to a much richer logic that allows arbitrary quantification 
over names, and give separate semantics to formulas of the form Calls(n, I, n') and n"s<^, but what we 
have done suffices for our intended application. 

The semantics of 3vB n (f = v) is straightforward. Recall that the value of / in run r is f(N r ). We 
can then take 3vB n (f = v) to be true at a point (r, m) according so some agent i if all runs n believes 
possible are associated with the same function value: 

(I, <, k, r, m, i) \= 3vB n (f = v) iff, for all and points (r', m!) such that fi(r(m),i, n) = j, 
rj(m) = r'-,(m'), and re(r') = mirror, m), we have f(N r ) = f(N r >). 

With all these definitions in hand, we can define the semantics of counterfactual belief-based pro- 
grams such as Pgc6 . A counterfactual belief-based program (or ebb program, for short) Pg c6 is similar 
to a kb program, except that the knowledge modalities K n are replaced by the belief modalities B n . We 
allow counterfactuals in belief tests but, for simplicity, do not allow counterfactuals in the standard tests. 

As with kb programs, we are interested in when a protocol P implements a ebb program Pg c f,. 
Again, the idea is that the protocol should act according to the high-level program, when the tests are 
evaluated in the cb system corresponding to P. To make this precise, given a cb system J = (1, <, k), 
an agent i, and a ebb program Pg c (,, let (Pg c fe)f^ denote the protocol derived from Pg c6 by using J to 
evaluate the belief tests. That is, a test in Pg c6 such as B n tp holds at a situation (r, m, i) in J if ip holds 
at all situations (r r , m',j') in J such that p(r(m), i, n) = j,r'-,(m') = rj(m), and n(r') = min"(r,m). 
Define a cb context to be a tuple (7, ir, o, a), where (7, n) is an interpreted context with naming function 
/x 7 (for simplicity, we use p 7 to refer to the naming function in context 7), o is an order generator for 
1Z + (7) that respects protocols, and a is a deviation-compatible ranking generator for 7. A cb system 
J = (X, <, k) represents the ebb program Pg c6 in cb context (7, ir, o, a) if (a) 1 = (1Z + (7) , ir , /x 7 ), 
(b) < = o(Pg^), and (c) k = a(Pgf b ). A protocol P implements Pg cb in cb context \ = (7> n> °, °~) 
if p = Pg (?>°(P)MP)) _ Protocol P de f acto i mp i em ents Pg cb in x if P ~ 7 Pgg' ^'* 7 ^ . 
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B Proof of correctness for Pg" 



Theorem I4.lt If f and M(^ GC ) satisfy the condition in Theorem \2.3\ then Pg^j, solves the global 
function computation problem for f in all interpreted contexts (j GC , n) for global function computation. 

Proof: Let / and M be such that the condition in Theorem 12.31 is satisfied. Suppose that o is an 
order generator that respects protocols, a is a deviation-compatible ranking generator, ^ GC is a context 
for global computation such that in all initial states the network encoded in the environment state is 
in TV, x GC is the crj context (j GC , tt, o, a), P is a protocol that de facto implements Pg^p in x GC > 
J = (TZ + ('j),7r, fij,o(P), <j(P)), and r G R(-P, 7 GC )- We prove that at some point in run r all agents 
in N r know f(N r ). 

We proceed much as in the proof of Theorem 13.11 we just highlight the differences here. Again, 
we first show that some agent in r learns f(N r ). Suppose not. Let r' be the unique run of the full- 
information protocol in a synchronous context starting with the same initial global state as r. Again, we 
show by induction on k that there is a time m& such that, at the point (r, m^), all the agents in A(r) 
have at least as much information about the network as they do at the beginning of round k in r'. The 
base case is immediate, as before. For the inductive step, suppose that i learns some information about 
the network from j during round k. Again, there must exist a time ml < m where j first learns this 
information in run r. It follows that (J, r, m' k ,j) \= some-new -info. 

Suppose that j names ininr; that is // 7 (r(mfc), j, n) = i. Now either (a) j believes at time ml 
that, if he does not perform a send a (new -info) action with n € A, i will eventually learn its new 
information or the function value anyway, or (b) j does not believe this. In case (b), it follows that 

(J,r,m' k ,j) \= ~^Bj[^do(send n (new-info)) > ()((3n f (Calls (n, I, n')A 
-B n (n' 's cont (new -info))) V 3vB n (f = v))]. 

Since P implements Pg GG in x GC '> i n case (b), j sends i new -info at time ml, so there is some round 
m'l by which i learns this information. On the other hand, in case (a), it must be the case that 

(J \r,m' k ,j) \= Bi[-ido(send n (new-info)) > ()(3n' (Calls (n, I, n')A 
B n (n' 's cont (new -info))) V 3vB n (f = v))]. 

Since o is deviation compatible by assumption, and r is a run of P, it follows that k(t) = 0. Thus by 
Lemma TA. II 

(J~,r,m' k ,j) \= ^do(send n (new-info)) > ()(3n' (Calls (n, I, n')A 
-B^n' 's cont (new -info))) V 3vB n (f = v)). 

Since P implements Pg^& in x GC in case ( a )> j does not send new -info to i in round m' k . Thus, 
(J ,r,m' k , j) \= -^do(send n (new_info)). It follows that 

(J~,r,m' k , j) \= 3n'(Calls(n, I, n) A B n (n 's cont (new -info))) V 3vB n (f = v)). 

Since, by assumption, no one learns the function value in r, we have that 

(J^,r,m' k ,j) \= 3n' (Calls (n, I, n') A 5 n (n' 's cont (new -info))). 

Thus, it follows that i must eventually learn fs information in this case too. 

It now follows, just as in the proof of Theorem 13. 1[ that some agent learns f(N r ) in r, and that 
eventually all agents learn it. We omit details here. | 
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status := nonleader; maxid := id; vain :=-L; done := 
sendi(id) 
do until done = 1 
receive 

if RQ ^ _L then 

vain := dequeue(RQ) 
if {vain = *<0 then 

status := leader; send l(" id is the leader"); done := 1 
else if (vain > maxid) then 

maxid := vain; sendiimaxid) 
else if (vain is a leader message) then 

sendL(valji); done := i 

Figure 3: The LCR protocol. 

do until (id E vain) A (seni leader message V maxid = id^) 
receive 

if some _new -info then 

if ((id $l vain A max(valn) > maxid) V (id € ua^) then send L(new Anfo) 

Figure 4: The LCR' protocol. 

C Proof of Theorem EE 

In this section we prove Theorem 15. 1[ which says that LCR', PI', and P2' de facto implement Pg^p. 
We start by sketching the proof for LCR', and then provide a detailed proof for P2'. The proof for PI' is 
similar and is omitted here. 

C.l The argument for LCR' 

The pseudocode for LCR and LCR' is given in Figures [3] and ^respectively. In the code for LCR, we use 
id to denote the agent's initial id. We assume that each agent has one queue, denoted RQ, which holds 
messages received from the right. The placing of messages in the queue is controlled by the channel, not 
the agent. We use RQ = _L to denote that the right queue is empty. We write vain := dequeue(RQ) to 
denote the operation of removing the top message from the right queue and assigning it to the variable 
vain. If RQ = _L when a dequeue operation is performed, then the agent waits until it is nonempty. 
Each agent has a local variable status that is initially set to nonleader and is changed to leader only by 
the agent with the maximum id in the ring when it discovers it is the leader. We take done to be a binary 
variable that is initialized to and changed to 1 after the maximum id has been computed. Agents keep 
track of the maximum id seen so far in the variable maxid. We call a message of the form "M is the 
leader" a leader message. Note that in our version of LCR, after the leader finds out that it is the leader, 
it informs all the other agents of this fact. This is not the case for the original LCR protocol. We include 
it here for compatibility with our global function computation protocol. (Similar remarks hold for P2.) 

In the code for LCR', vain encodes all the new information that the sender sends (and thus is not 
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just a single id). Let max(valji) be the maximum id encoded in voIr. Since an agent sends all the new 
information it has, there is no need for special messages of the form "M is the leader". The leader can 
be computed from vclIr if the message has gone around the ring, which will be the case if id G voIr. 
Moreover, if id £ voIr, an agent can also compute whether the leader is its left neighbor, and whether 
it has earlier essentially sent an "M is the leader message" (more precisely, an agent can tell if it has 
earlier been in a state where id € vclIr and it sent a message). We take the test idr, = maxid to be 
true if an agent knows that the leader is its left neighbor (which means that a necessary condition for 
idL = maxid to be true is that id G voIr); we take sent leader message to be true if id € vclIr and the 
agent earlier sent a message when i € vclIr was true. Notice that in LCR' we do not explicitly set voIr; 
voIr can be computed from the agent's state, by looking at the new information received. 

The basic idea of the proof is simple: we must show that Pg^p and LCR' act the same at all points 
in a system that represent LCR'. That means showing that an agent sends a message iff it believes that, 
without the message, its neighbor will not eventually learn the information that it has or the function 
value. Since LCR' solves the leader election problem, when processors do not send a message, they 
believe (correctly) that their neighbor will indeed learn the function value. So consider a situation 
where a processor i sends a message according to LCR'. That means that either it has gotten a message 
vclIr such that vclIr > maxid or it has gotten a leader message. If it does not forward a leader message, 
then it is clear that all the processors between i and the leader (of which there must be at least one) 
will not learn who the leader is, because no further messages will be sent. If i has received a message 
with valR > maxid, then consider maxid is in fact the largest id. Then it is easy to see that i will 
never receive any further messages, and no processor will ever find out who the leader is. Since this 
ring is consistent with i's information, i does not believe that, if it does not forward the message, z's 
left neighbor will learn the information or learn who the leader is. Thus, according to Pg^j , i should 
forward the message. We omit the formal details of the proof here, since we do the proof for P2' (which 
is harder) in detail. 

C.2 The argument for P2' 

We start by describing P2. Since P2 works in bidirectional rings, rather than just having one queue, as 
in LCR, in P2, each agent has two queues, denoted LQ and RQ, which hold messages received from 
the left and right, respectively. While an agent is active, it processes a message from RQ, then LQ, then 
RQ, and so on. The status of an agent, i.e., whether it is active, passive or the leader, is indicated by 
the variable status. Initially, status is active. Finally, we take wl to be a binary variable that indicates 
whether the agent is waiting to receive a message from its left. When an active agent receives voIr, it 
compares valR to its id. If valR = id (which can happen only if i is active) then, as in the LCR protocol, 
i declares itself to be the leader (by setting status to leader), and it sends out a message to this effect. 
If i is active and voIr > id, then i becomes passive; if voIr < id, then i remains active and sends its 
id to the right. Finally, if i is passive, then i forwards vol r to the left. The situation is symmetric if i 
receives vclIl- The pseudocode for P2 is given in Figure [5] 

To understand in more detail how P2 and P2' work, it is helpful to characterize the order in which 
agents following P2 send and process messages. Since P2 and P2' are identical up to the point that 
an agent knows the leader, the characterization will apply equally well to P2'. We can get a complete 
characterization despite the fact that we do not assume synchrony, nor that messages are received in 
FIFO order. As usual, we use (oi, . . . , a^)* to denote or more repetitions of a sequence of actions 
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status := active; vali :=_L; vain :=-L; done := 0; wl = 

sendi(i(i); 

do until done = 1 

if (RQ /_L) A (wZ = 0) then 

vain := dequeue(RQ) 

wl := 1 

if (wa/_R = id) then status := leader; sendji("id is the leader"); done := 1 
if status = active A vaZ# > id then status := passive 
if status = active A voIr < id then sendn(id) 

if status = passive then sendi(id); if (ua/^ is a leader message) then done := i 
if (LQ A (wl = 1) then 

waZ^ := dequeue(LQ) 
wl := 

if (valL = id) then status := leader; sendi( ll id is the leader"); done := i 
if status = active A voIl > id then status := passive 
if status = active A wc^l < id then sendi(id) 

if status = passive then sendji(id); if (wa/_L is a leader message) then done := i 



Figure 5: Peterson's protocol P2. 



ai, . . . ,Ofc. We denote the action of sending left (resp. right) as SL (resp. SR), and the action of 
processing from the left (resp. right) as PL (resp. PR). 

Lemma C.l: For all runs r ofP2, times m, and agents i in N r 

(a) if i is active at time m, then i's sequence of actions in the time interval [0, m) is a prefix of the 
sequence (SL, PR, SR, PL)*; 

(b) if i is passive at time m, i does not yet know which agent has the maximum id, and i became 
passive at time m! < m after processing a message from the right (resp., left), then i's history in 
the time interval [m', m] is a prefix of the sequence (PL, SR, PR, SL)* (resp., (PR, SL, PL, SR)*). 

Proof: We proceed by induction on the time m. The result is trivially true if m = 0, since no actions are 
performed in the interval [0, 0]. Suppose the result is true for time m; we show it for time m + 1. If i is 
active at time m + 1, then the result is immediate from the description of P2 (since it is immediate that, 
as long as i is active, it cycles through the sequence SL, PR, SR, PL). So suppose that i is passive at 
time m + 1. It is clear from the description of P2 that, while i is passive, PL is immediately followed 
by SR and PR is immediately followed by SL. Thus, it suffices to show that (i) if i was active when 
it performed its last action, and this action was PR, then i's next action is PL; (ii) if i was active when 
it performed its last action, and this action was PL, then i's next action is PR; (iii) if i was passive 
when it performed its last action, and this action was SR, then i's next action is PR; and (iv) if i was 
passive when it performed its last action, and this action was SL, then i's next action is PL. The proofs 
of (i)-(iv) are all essentially the same, so we just do (i) here. 
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Suppose that i's last action before time m + 1 was PR, and then i became passive. It is clear from 
the description of P2 that i's next action is either PR or PL. Suppose, by way of contradiction, that i 
performs PR at time m + 1. It follows from the induction hypothesis that there must exist some k such 
that i performed SR k times and PR k + 2 times in the interval [0, m + 1]. But then the agent Ri to 
i's right performed SX at least k + 2 times and PL at most k in the interval [0, m]. This contradicts the 
induction hypothesis. | 

Intuitively, P2 and P2' act the same as long as agents do not know who the leader is. In P2', they 
will know who the leader is once they know all the agents on the ring. To make this latter notion precise, 
define the sets Ii,(i,r, m) and I R (i,r,m) of agents as follows: I R (i,r, 0) = l^ii^r, 0) = {i}. If, at 
time m + 1, i processes a message from its right, and this message was sent by Ri at time m! , then 

I R (i,r,m+ 1) = I R (i,r,m)Ul R (Ri,r,m') and I L (i,r,m+ 1) = I L (i,r,m)U I L {Ri,r,m') - {Ri}. 

If, at time m + l,i processes a message from its left, and this message was sent by Li at time m' , then 

I L (i, r, m + 1) = r, m) U r, m!) and J#(i, r, m + 1) = I R (i, r, m) U I R (Li,r, m!) - {Li}. 

Finally, if i does not process a message at time m + 1, then 

ii?(i, r, m + 1) = I_R,(i, r, m) and /£,(£, r, m + 1) = Ii(i, r, m). 

L R (i,r,m) and I^(i,r, m) characterize the set of agents to i's right and left, respectively, that i 
knows about at the point (r, m). lL{h r, m) and I R (i, r, m) are always intervals for agents running a 
full-information protocol (we prove this formally below). Thus, agent i has heard from everybody in the 
ring, denoted heard _from_all, if t, m)L)I R (i, r, m) contains all agents in the ring. More formally, 
{J,r,m,i) \= heard _from _all if Ii{i,r, m) U I R (i,r,m) consists of all the agents in the network 
N encoded in the environment state in (r, m). Note that heard _from -all may hold relative to agent i 
without i knowing it; i may consider it possible that there are agents between the rightmost agent in 
I R (i, r, m) and the leftmost agent in /^(i, r, m). We define the primitive proposition has-alLinfo to be 
true at at the point (r, m) relative to i if /^(i, r, m) Dl R (i, r, m) — {i} ^ 0. it is not difficult to show that 
has-alLinfo is equivalent to Kr(heard-from-all); thus, we say that i knows it has all the information 
if has-alLinfo holds relative to i. 

The pseudocode for P2' while agents do not know that they have all the information is given in 
Figure [6] (We describe what agents do when they know all the information at the end of this section.) 
Note that the pseudocode does not describe what happens if an agent is active and val R > id. Intuitively, 
at this point, the agent becomes passive, but with P2' there is no action that changes an agent's status; 
rather, the status is inferred from the messages that have been received. (This is similar to the reason that 
the LCR' protocol had so many fewer steps than the LCR protocol.) Since agents running P2 perform 
the same actions under essentially the same conditions as agents running P2' up to the point that an 
agent knows that it has all the information, Lemma ICTl also applies to all runs r of P2', times m, and 
agents i in N r such that i did not know that it had all the information at time m — 1 in r. 

We now prove a number of properties of /^(i, r, m) and I R (i, r, m) that will be useful in our analysis 
of P2'. 

Lemma C.2: For all runs r ofP2' and times m the following hold: 
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send l (new -info); 
do until has -all -info 

if (RQ /_L) A (wl = 0) then 

if status = active A val R < id then send R (new -info) 
if status = passive then send ^(new -info); 
if (LQ /_L) A (wl = 1) then 

if status = active A vclIl < id then send i(new -info) 
if status = passive then send R (new -info); 

Figure 6: The initial part of protocol P2', run while agents do not know that they have all the information. 

(a) I R (i,r, m) is an interval of agents starting with i and going to the right ofi, and Ii(i-, r , m ) is an 
interval of agents starting with i and going to the left ofi. 

(b) If at time m, i processes a message from the right sent by Ri at time m', and Ri did not know 
that it had all the information at time ml, then 

(i) I R (Ri,r,m') D I R (i,r,m - 1) - {i}, I R (i,r,m) D I R (i,r,m - 1), and I R (i,r,m) = 
{i} U I R (Ri,r, m'); and 

(ii) I L (i, r, m) = I L (i, r,m- 1). 

(c) If at time m, i processes a message from the left sent by Li at time m', and Li did not know that 
it had all the information at time m', then 

(i) I L (Li,r,m') D I L (i,r,m - 1) - {i}, I L (i,r,m) D I L (i,r,m - 1), and I L (i,r,m) = 
{i} U Il(Li, r, m'); and 

(ii) I R (i, r, m) = I R (i, r,m- 1). 

(d) If i processed a message from the right in the interval [0, m], and Ri did not know that it had all 
the information when it last sent a message to i, then 

max val R (i,r,m!) 

{m'<m,:valn(i,r,m')j^±} 

is the maximum id of the agents in I R (i, r, m) — {i}, where val R (i, r, m') is the value of agent 
i's variable val R at the point (r, m'); if i processed a message from the left in the interval [0, m], 
then 

max valL(i,r,m') 

{m' <m:valL(i,r,m')j^±} 

is the maximum id in f, m) — {i}. 

(e) i is active at time m if and only if i has the largest id in Ii(i-, r, m) U I R (i, r, m). 

Proof: We prove all parts of the lemma simultaneously by induction on m. The result is immediate if 
m = 0, since i is active at time 0, i does not process a message at time 0, and /^(i, r, 0) = I R (i, r, 0) = 
{i}. Suppose that parts (a)-(e) hold for all times m! < m. We show that they also hold at time m. They 
clearly hold if i does not process a message at time m, since in that case Ii(i, r, m) = Ii(i-, r, m — 1) 
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and Ir(i, r, m) = Ir(i, r,m — 1). So suppose that i processes a message msg from its right at time m, 
and msg was sent by Rj at time m! . (The proof is similar if i receives from the left, and is left to the 
reader.) If msg is the first message received by i from the right, then it follows from Lemma ICTl that i 
has sent no messages to the right, and Ri has sent only one message to i. Thus, Ir(i, r, m — 1) = {i}. 
Parts (a)-(e) now follow easily from the induction hypothesis. 

So suppose that msg is not the first message that i has received from Ri. Part (a) is immediate 
from the induction hypothesis. To prove part (b), let mi be the last time prior to m' that R{ sent a 
message, say msg', to its left. It easily follows from Lemma [CTTI (which, as we observed, also applies 
to P2' while agents do not know that they have all the information) that there are times 7772 and 771,3, 
both in the interval (m\,m'), such that i received msg' at time m-i and Ri processed a message from 
its right at 771,3; moreover, i did not process any messages from the right between time 777,2 and m. By 
the induction hypothesis, I#(i,r, 777,2) = {i} U Iji(Ri,r,mi), Jt(i,r, 7712) = lL(i,r, 7712 — 1), and 
Iji(Ri,r, 777,3 + 1) D Ir{Ri, t, mi). Since 7773 + 1 < m', it follows that Ir(Ri, r, mf) D Ir(Ri, r, mi). 
Since i does not process any messages from its right between time 7712 and m, by definition, lR(i,r,m — 
1) = Ir(i, r, 7772). It follows that Ir(R4, r, m') D Ir(i, r, m — 1) and that 

I R (i,r,m) = I R (i,r,m - 1) U I R (Ri,r,m') = {i} U I R (Ri,r,mi) U I R (Ri,r,m') 
= {i} U I R (Ri, r, m') D {i} U I R (Ri,r, mi) = I R (i, r,m- 1). 

This proves part (i) of (b) for time m. For part (ii), by definition, //_,(«, r,m) = Ii,{i,r, m — 1) U 
lL{Ri,r,m') — {Ri}. By the induction hypothesis, it easily follows that Il(Ri, t, m') — {Ri} Q 
II^-, i", m') C Ji(i, r, m — 1). Thus, I_l(7, r, m) = r,m — 1). 

Part (c) is immediate, since i does not process a message from the left at time m. 

For the first half of part (d), there are two cases to consider. If Ri was active at the point (r, 777'), then 
the result is immediate from part (e) of the inductive hypothesis. Otherwise, by the inductive hypothesis, 
vciIr = valn(i, r, m) = valR(Ri,r, m'). By the inductive hypothesis, vain is greater than or equal to 
the maximum id in Iji(Ri,r, mf) — {Ri}. Since the first value of voIr must be i?j's id, it follows that 

max valR(i,r,m') 

{m' <m:val n(i,r,m')j^-L} 

is greater than or equal to the maximum id in Ir(i, r, m) — {i} = lR(Ri, r, m'). Since valji(i, r, m') 
must be an id in Ir(i, r, m), we are done. The second half of part (d) is immediate from the induction 
hypothesis, since Jl(«, r, m) = r,m — I) by part (b), and valL,{i, r, m) = val(i, r,m — 1). 

Finally, part (e) is immediate from the induction hypothesis if i is passive at time 777 — 1. So suppose 
that i is active at time m — 1. By the induction hypothesis, i's id is the largest in Ii,(i,r,m — 1) U 
lR(i,r, m — 1). If i is active at time m then, by the description of P2', z's id must be greater than 
valR(i, r, 777). Applying part (d) of the induction hypothesis and the fact that i's id is at least as large as 
all those in Ir(i, r, 777— 1), it follows that i's id is at least as large as vaaxs m i< mxva i R u rtm i\^_i} valn(i, r, m'). 
By part (d), at time 777, i's id is at least as large all those in Ir(i, r, m). Since /^(i, r, 777) = r,m — 
1), it follows that fs id is the maximum id in Ir{i, r, m) U r, m). Conversely, if i's id is the maxi- 
mum id in Ir(i, r, m) U Jr,(i, r, m), then by part (d) at time m, i's id must be greater than valji(i, r, m), 
and hence by the description of P2', i is active at (r, 777). | 

It is not difficult to see that P2' ensures that, for all agents i, r, m) U Ir(i, r, m) increases with 
time 777. Thus, eventually at least one agent must know it has all the information. (Recall that we have 
not yet given the pseudocode for P2' for the case that an agent knows it has all the information.) 
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Corollary C.3: In all runs r consistent with P2', eventually at least one agent knows that it has all the 
information, i.e., there exist an agent i and time m such that r, m) n Ir(i, r, m) — {i} ^ 0. 

We say that message msg received by i at time m originated with j at time mf if j is the active 
agent who first sent msg, and msg was sent by j at time mf. More formally, we define origination 
by induction on the time m that msg was received. If msg is received by i from the right, then msg 
originated with Ri at the time that Ri sent it if Ri was not passive when it sent msg; otherwise, if msg 
was received at some time m" < m by R4, then the message msg received by i at m originated with the 
same agent and at the same time as the message msg received by R4 at m". The definition is analogous 
if msg is received by i from the left. 

Let [i..j]_R denote the agents to i's right starting at i and going to j; similarly, let [i.-j]h denote the 
agents to i's left starting at i and going to j. 

Lemma C.4: For all runs r ofP2' and agents i, j in r, 

(a) if at time m agent i processes a message msg from the right that originated with j at m! , msg 
is the pth message j sent left, and no agent in [i..j]R knows that it has all the information when 
it sends msg, then msg is the pth message that i processes from the right, and Iji(i,r, m) = 
I R (j,r,m') U [i..j] R . 

(b) if at time m agent i processes a message msg from the left that originated with j at ml, and 
msg is the pth message j sent right, and no agent in [i..j}L knows that it has all the information 
when it sends msg, then msg is the pth message that i processes from the left and r, m) = 
I L (j,r,m') U [i..j]L- 

Proof: We do the proof for case (a); the proof of (b) is similar and left to the reader. The proof proceeds 
by induction on the number of agents in [i..j] R . Since i ^ j, there are at least two agents in [i.-j]R. If 
there are exactly two, then j = R4. Since the only messages that i processes from the right are those sent 
by j, it is immediate that msg is the pth message i processed from the right. Moreover, by definition 
I R (i, r, m) = Ir(J, r, mf) U {i} = I R (j, r, mf) U [i..j]n. 

Now suppose that (a) holds for all pairs of agents i', j' such that [i'..j']R consists of d > 2 agents 
and [i.-j]n consists of d + 1 agents. Let m Ri be the time Ri sends the message msg to i. Since [i--j]R 
consists of at least 3 agents, it cannot be the case that R t = j. Thus, Ri was passive when it received 
the message msg. Let m' R . be the time Ri processed msg. Since [Ri.-j]R has d agents, by the induction 
hypothesis, it follows that msg was the pth message that Ri processed from the right. By Lemma ICTl 
prior to m' R ., Ri sent exactly p — 1 messages to the left. Moreover, since Ri must process p— 1 messages 
from the left before processing its pth message from the right, it follows from Lemma ICTl that i must 
have processed all the p — 1 messages Ri sent to it before Ri processed msg. It now easily follows that 
msg is the pth message processed by i from the right. By the induction hypothesis, lR(Ri, r, m' R .) = 
IrU, r, mf) U [Ri..j] R . Thus, I R (i, r, m) = I R {Ri,r, m' R f) U {1} = I R (j, r, mf) U [i..j] R , I 

By Lemma IC.ll we can think of P2' as proceeding in phases while agents do not know all the 
information. For p = 1, 2, 3, . . ., we say that in run r, phase 2p — 1 begins for agent i when i sends left 
for the pth time and phase 2p begins for agent i when i sends right for the pth time; phase p for agent i 
ends when phase p + 1 begins. 

The following lemma provides some constraints on what agents know about which agents are active 
and passive. 
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Lemma C.5: For all runs r ofP2', times m, and agents i, if m > 0, the last message that i processed 
before time m was the pth message, and no agent knows all the information at time m — 1, then 

(a) ifji, ■ ■ ■ ,jk are the active agents at time m in Ir(i, r, m), listed in order of closeness to i on the 
right ( so that j\ is the closest active process to i 's right with j\ = i if i is active, and jj~ is the 
farthest) then (i) idj 1 > . . . > idj k , (ii) if ji 7^ i, then ji will be passive after having processed its 
(p — Z + l)st message, for I = 2, . . . , k, provided that ji processes its {p — l+ l)st message before 
knowing all the information; (Hi) if ji = i, then ji will be passive after after having processed its 
(p — l + 3)rd message, for I = 2, . . . , k, provided that ji processes its (p — l + 3)rd message before 
knowing all the information; and (iv) the last message that i processed from the right originated 
with ji. 

(b) if hi, . . . , hy are the active agents at time m in /^(i, r, m) listed in order of closeness to i on the 
left, then (i) id ^ > . . . > idh y , (H) if hi 7^ i, then hi will be passive after having processed 
its (p — I + l)st message, for I = 2, . . . , k', provided that hi processes its (p — I + l)st message 
before knowing all the information; (Hi) if hi = i, then hi will be passive after having processed 
its (p — I + 3)rd message, provided that it processes its (p — I + 3)rd message before knowing all 
the information; and (iv) the last message that i processed from the left originated with hi. 

Proof: We proceed by induction on m. The lemma is trivially true if m = 1, since Ii(i,r, 1) = 
Ir{i, r, 1) = {i}. If m > 1, then the result is trivially true if i does not process a message at time m — 1 
(since /^(i, r, m) = 1^(1, r,m— 1) unless i processes a message from the left at time m—1, and similarly 
for Ir(i, r, m); and even if some agents in lL{i, r, m) U Ir(i, r, m) may become passive between time 
m — 1 and time m, the result continues to hold). So suppose that i processes a message from the left 
at time m — 1. Since Ir(i, r, m) = Ir(i, r,m — 1), it is immediate from the induction hypothesis that 
part (a) continues to hold. For part (b), by Lemma lC4l we have that Iiih f, m) = r, m') U [i..j]L, 
where the message that i processed from the left at time m — 1 originated with j at time m'. By the 
definition of origination, all agents in [i.-j]L — {hj} must be passive at time m — 1. Thus, the result 
follows immediately from the induction hypothesis applied to j and time m', together with the following 
observations: 

• If j originated the message at time m' , then it follows easily from Lemma [CTTI that it is the pth 
message sent by j. Moreover, either IlU, r, m') = {j} or r, m') = r, m"), where 
m" — 1 is the time that j processed its (p — 2)nd message (since this is the last message that j 
processed from the left prior to time m'). 

• If i is active at time m, then idi > idj, and the (p + l)st message that j processes will originate 
from i (if j does not know all the information before processing the message) and will cause j to 
become passive. 

The argument is similar if i processes a message from the right at time m — 1. 1 

We say that agent i can be the first to learn all the information in network N if there is a run r of P2' 
such that N r = N and, in run r, i knows all the information at some time m and no agent knows all the 
information at the point (r, m — 1). Our goal is to prove that there can be at most two agents that can 



32 



be first to learn all the information in a network ivjl To prove this result, we first show that, although 
we are considering asynchronous systems, what agents know depends only on how many messages they 
have processed. 

Lemma C.6: If N r = N r i = N, no agent knows all the information at the point (r, m) or the point 
(r', ml), and agent i has processed exactly k messages at both the points (r, m) and (r', m'), then 
Ih{h r , m ) = II^-, r> ' i m ') and Ir(i, r, m) = Ir(i, r' , m'). Moreover, the kth message that i processed 
in run r originated with j iff the kth message that i processed in run r' originated with j. 

Proof: We proceed by a straightforward induction on m + m! . Clearly the result is true if m = m' = 1. 
If i does not process a message at the point (r, m — 1), then r, m) U Ir(i, r, m) = 1^(1, r,m — 
1) U i#(i,r, m — 1), and the result is immediate from the induction hypothesis; similarly, the result 
follows if i does not process a message at the point (r', m' — 1). Thus, we can assume that i processes 
a message at both (r, m — 1) and (r',m/ — 1). Moreover, it follows from Lemma ICTTl that i either 
processes from the left at both (r, m — 1) and (r',m' — 1) or processes from the right at both of these 
points. Assume without loss of generality that i processes from the left. Then, using the induction 
hypothesis, we have that Ir(i, r, m) = Ir(z, r, m — 1) = Ir{i, r' , m' — 1) = Ir(i, r', m'). Moreover, 
/i(i,r, m) = lL.(Li,r,mi) U {i}, where mi is the time Li sent the message that i processes at time 
m — 1 in r; Ii{i : r' ,m') = Ir,{Li,r' \rrii) U {i}, where m! x is the time that Lj sent the message that 
i processes at time m' — 1 in r'. It follows from Lemma IC.ll that we must have k = 2k', Li has 
sent k' messages left at the points (r, m\) and (r', m'i), and has processed k — 1 messages at both of 
these points. By the induction hypothesis, I^(Lj,r, mi) = Il{Li, r', m^). The desired result follows 
immediately. | 

Lemma C.7: There are at most two agents that can be first to learn all the information in network N. 
If an agent that can be first to learn all the information is active when it learns all the information, then 
it must be the agent with the highest id. 

Proof: Suppose, by way of contradiction, that three agents can be the first to learn all the information, 
say i\, 12, and i%. Suppose that i* is the agent in N with the highest id. Suppose that the message that 
ih processed which caused it to know all the information was the phth message that iy t processed, for 
h = 1, 2, 3. First assume that i* £ i2,iz}- It easily follows from Lemma |C31 that, for h = 1, 2, 3, 
either the p^th message or the (p^ — l)st message that processed must have come from i* . Suppose 
that for two of i\, %2, or i^, the message that ih processed from i* came from the right. Suppose, without 
loss of generality, that these two agents are ii and %2- Now a simple case analysis shows that either i\ 
knows all the information before %2 in all runs of P2' where N r = N, or %2 knows all the information 
before i\ in all runs where iV r = N. For example, suppose that the message that originated with i* is 
the p' h th message that processed, for h = 1,2; note that p' h is either p^ or p^ — 1. (By Lemma IC6l p' h 
is same in all runs r such that N r = N.) If p[ > p' 2 then it follows from Lemma ICTl that p[ > p' 2 + 2, 
and it is easy to see that i\ must learn all the information before Similarly, if p' 2 > p[, then it is easy 
to see that i% must learn all the information before i\. Finally, suppose that p' = p' x = p' 2 . Without loss 

5 In all the examples we have constructed, there is in fact only one agent that can be first to leam all the information in 
network N, although that agent may not be the eventual leader. However, we have not been able to prove that this must be the 
case. 



33 



of generality, assume that going from i* left on the ring, we reach i\ before %i. Then it is easy to see 
that if pi = pi, so that i\ knows it has all the information after processing the message from i* , then i\ 
knows it has all the information before 12 in all runs r with N r = N, while if p\ = p[ + l, then i\ must 
learn it after 12 in all runs (since the pith message processed by i\ must originate with a process farther 
to the left of i* than 12). Thus, it cannot be the case that both i\ and 12 can be first to learn the message, 
a contradiction. A similar contradiction arises if both i\ and 12 process i*'s message from the left. 

Thus, it follows that i* € {11,12^3}', without loss of generality, assume that i* = Again, if 
both of i\ and 12 process z*'s message from the left, or both process it from the right, then we get 
a contradiction as above. So suppose without loss of generality that i\ processes i*'s message from 
the left, %2 processes message from the right, and i* = £3 processes its p3th message from the 
left. Again, it is easy to show that if p\ < p%, then in all runs r with N r = N, i\ knows it has all 
the information before £3 = i*; if p\ > p%, then in all runs r with N r = N, i* knows it has all the 
information before i\. Either way, we have a contradiction. | 

We can now describe the remainder of protocol P2', after an agent i learns all the information. What 
happens depends on (a) which agents can be first to learn all the information, and whether i is one 
of them; (b) whether i is active or passive just after learning all the information, and (c) whether the 
message that results in i learning all the information is processed from the left or the right. Note that 
when an agent learns all the information, it can easily determine which agents can be first to learn all 
the information. Rather than writing the pseudocode for P2', we give just an English description; we do 
not think that the pseudocode will be more enlightening. 

• Suppose that the only agent that can be first to learn all the information is the leader. We now 
do essentially what is done in Peterson's algorithm. Suppose that the message that resulted in 
the leader learning all the information was processed from the left (if the message was processed 
from the right, the rest of the argument remains the same, replacing left by right everywhere), the 
message originated with agent i, and was the pth message processed by the leader. We claim that 
after processing the pth message, all agents other than the leader will be passive. If i is the leader, 
this is almost immediate. If i is not the leader, then it follows from Lemma |C31 The leader then 
sends its (p + l)st message to the left. After an agent processes the leader's (p + l)st message, 
it will then know all the information. We require it to send a message to the left with all the 
information unless it is the leader's right neighbor. (Of course, once it knows all the information, 
the leader's right neighbor will realize that the neighbor to the left is the leader and that the leader 
already knows all the information, so it does not need to forward the information.) After this 
process is completed, all the agents know all the information. 

• Suppose that agent i is the only agent that can know all the information and i is passive when 
it first knows all the information. Suppose that the message that resulted in i's learning all the 
information was processed from the left (again, the argument is similar if it was processed from 
the right), the message originated with agent j, and was the pth message processed by i. It is 
easy to see that i must have been active just prior to processing the pth message, for otherwise 
the agent to i's left will learn all the information before i. Moreover, i's pth message must have 
originated with the leader (since i could not have known about the leader prior to receiving the 
message, or it would not have been active). Then i sends the message with all the information 
back to the leader, who forwards the message all the way around the ring up to the agent to z's 
right, at which point all the agents know all the information. 
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• Suppose that two passive agents, say i and i', can be first to learn all the information. Again, it 
is not hard to see that i and i' must have been active just before learning all the information. If i 
and i' both first learn all the information after processing the pth message, then by Lemma |C31 
the pth message of one of them, say i, originated with i*. Suppose without loss of generality that 
i and i' received this message from the left. Then i sends a message with all the information to 
the left, where it is forwarded up to and including £*; similarly, i' sends a message to the left, 
which is forwarded up to but not including i. Note that i' will also receive a (p + l)st message 
that originates with i* from the right. After receiving this message, i! sends a message with all 
the information to the right up to but not including i*. 

• Suppose that one passive agent, say i, and i* can be first to learn all the information. If they both 
learn all the information after receiving their pth message, then i must have been active just before 
receiving the message, €s message originated with i* , and i**s message either originated with i or 
with an agent i' such that the pth message received by i' originated with i, and i' becomes passive 
after receiving this message. Suppose without loss of generality that the pth message was received 
from the left. Then i sends a message with all the information to the left where it is forwarded up 
to but not including i*; similarly, i* sends a message with all the information to the left, where 
it is forwarded up to but not including i. A straightforward case analysis shows that it cannot be 
the case that there exist p and p' with p ^ p' such that i learns all the information after receiving 
its pth message and i* learns all the information after receiving the p'th message. For if p < p', 
then i must learn all the information before i* in all runs, and if p' < p, then i* must learn all the 
information before i in all runs. 

This completes the description of P2'. 

Having completed the description of P2', we can finally prove that P2' de facto implements Pg^p 
in contexts where (i) all networks are bidirectional rings and (ii) agents have distinct identifiers. Let 
(7 6r, ",7r) denote the interpreted context for global computation where the initial states are the bidi- 
rectional rings with unique identifiers. Suppose that o is an order generator that respects protocols, 
a is a deviation-compatible ranking function, and J = (lZ + ('y br,u ), n, fi^br,u , o(P2'), a(P2')) is the 
interpreted system corresponding to P2' in the cb context x br,u = (l br,u , ft, o, a). Proving that P2' 
de facto implements Pg^p in the cb context x br ' u amounts to showing that P2^(£) = Pg^pj (£) for 
every local state I such that there exists r G R(P2', ^ ur < u ) and m such that I = rj(m). That is, for all 
r € R(P2', 7 ur '") and times m, we must show that P2'-(rj(m)) = act iff {J,r,m,i) \= ip ac t, where 
ip ac t is the precondition in Pg c6 for action act. 

Lemma C.8: For all runs r of P2' in the context ^ br > u , times m, and agents i in N r , P2-(rj(m)) = 
PgCff (r^m)). 

Proof: As we observed above, we must show that for all r £ R(P2', j br ' u ) and times m, we have that 
P2^(rj(m)) = act iff (J', r, m, i) \= (/? act . So suppose that P2-(r,(m)) = act. The relevant actions act 
have the form send n (newJnfo), where n € {L, R}. We consider the case that n = L here; the proof 
for n = R is almost identical, and left to the reader. The precondition of send ^{new Jnfo) is 

^Bj[-^do{sendL{new -info)) > 0(3n'( Ca//s(L, I, n') ABL(n !, scont(newJnfo))) \Zz\vBi(f = v))]. 
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Since R is the unique name that i's left nieghbor calls i in a ring, we have that (J,r,m,i) \= Calls (L, I, R). 
By the definitions in Section El (J,r,m,i) \= f S end L (new_info) if an d only if there exists a situation 
(r', ml ', i') such that 

(a) r-,(m') = rj(m), 

(b) cr(P2')(r / ) = min^ (P2,) (r,m), and 

(c) (T, r',m',i') \= do (send L(new -info)) > ()(3n' (Calls (L, I, n')ABL(n"scont(new-info)))\/ 
3vBl(/ = v))], so there exists a situation (r", m", i") G closest([-ido(sem/ n (new;_m/o))] I (p2'. x 6r, U ), 
r',m',i') such that 

(J, r", m", i") H nhB L (R's cont(newJnfo)) A -a«. B £ (/ = v)). 

Thus, we must show that there exists a situation (r', to', z') satisfying conditions (a), (b), and (c) 
above iff P2.(rj(m)) = send l (new Jnfo). To prove this, we need to consider the various cases where 
i sends left. 

• Case 1: at (r, m), i is active, does not know it has all the information, and sends its first message 
at time m. In this case, we can take r' to be a run of P2' on the network [i] (i.e., the network 
where the only agent is i), m! = 0, and i' = i, and take (r", m", i") to be an arbitrary situation 
in close(do(sendL(newJnfo)),P2',-f br,u ,r',m',i f ) such that |iV r »| > 1. In r", L^i does not 
receive a message from i", so will never process any message. It easily follows that, in r", Lin 
does not learn the content (i")'s initial information, nor does it learn who the leader is. 

• Case 2: i is active, does not know all the information, and does not send its first message to the 
left at time m. In this case, Li must be passive. Suppose that i is about to send its kth message 
left at the point (r, m). By Lemma ICTl i must have received k — 1 message from Li, so Lj must 
have processed k — 1 messages from i. Moreover, i considers it possible that Li has already sent 
its fcth message left, and is waiting to process its kth message from i. Since i does not have all 
the information at time m, it is easy to see that i must also consider it possible that L,; does not 
have all the information at time m. Thus, there exists a run r' such that rj(m) = r^(m) and, at the 
point (r', m), Li does not have all the information and is waiting to process the fcth message from 
i. Let (r", m", i") be an arbitrary situation in close(do (send ^(new Jnfo)), P2' , r y hr ' u ,r' , m, i). 
Since i" does not send left at (r", m"), L^i will wait forever to process a message from i". Thus, 
in r", Lin never learns the content of (i")'s fcth message, nor does it learn who the leader is. 

• Case 3: i is passive at the point (r, m) and does not have all the information. Since i is about 
to send left and it is passive, i must have last processed a message from its right; without loss 
of generality, assume that i has processed p messages from its right, and so must have processed 
(p — 1) messages from its left by time m. It easily follows from Lemma ICTl that p > 1. Suppose 
that the (p — l)st message that i processed from its left originated with k. Since i does not have 
all the information at time m, k did not have all the information when it sent this message to the 
right. After receiving its (p — l)st message from the left, i must consider it possible that the ring 
is sufficiently large that, even after k processes its (p — l)st message from the left, k will still not 
know all the information. That is, there exists a situation (r' , m', i') with r' G R(P2', j br ' u ) such 
that conditions (a) and (b) are satisfied, and if i''s (p — l)st message from the left in r' originated 
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with k' , then k' does not have all the information at the point (r',m'), despite have processed 
its (p — l)st message from the left by this point. Let (r" ,m" be an arbitrary situation in 
close(do(sendL(newJnfo)),P2',"f br > u ,r',m',i'). Suppose that (z")'s (p — l)st message from 
the left in r" originated with k" . At the point (r",m"), k" has already processes its (p — l)st 
message from the left and does not have all the information (because this was the case for the 
agent k! corresponding to k" in r'). In r" , all processes between i" and k" are passive. Thus, 
regardless of whether k" is active or passive, in r", k" and i" and all agents between them are 
deadlocked, because k" is waiting from a message from the right, which must pass through i" , 
and i" is waiting for a message from its left, which must pass through k" . It easily follows that 
Lj« does not learn (i")'s new information in r", nor does Lj« learn who the leader is. 

• Case 4: i has all the information at time m in r. There are a number of subcases to consider. 
We focus on one of them here, where two agents, the leader i* and i, are the first to learn all the 
information; the arguments for the other cases are similar in spirit, and left to the reader. We have 
shown that, in this case, i turns passive when it learns all the information as a result of processing 
a message msg that originated with i*, and that the number of messages i* and % have processed 
by the time they learn all the information is the same. Without loss of generality, assume that 
both i* and i first learned all the information after processing their pth message from the left. We 
showed that either the pth message that i* processed from its left originated with i, or it originated 
with some agent i' whose pth message from the left originated with i. It is easy to see that all 
agents other than i* and i are passive after they process their pth message, do not have all the 
information, and are waiting to receive a message from the right. Thus, if i does not send left, 
then all agents to the left of i up to but not including i* are deadlocked. Since % is supposed to 
send left, it cannot be the case that L; L = i*. It easily follows that if i does not send left, and 
(r',m,i r ) is an arbitrary situation in close(do(sendr.(new_info)), P2' ,~f br ' u ,r,m,i), then 
does not learn (i')'s new information nor who the leader is in r'. 

We have shown that, for all r € R(P2', ^ br ' u ) and times m, if P2' i (ri(m)) = act then [J, r, m, i) \= 
'Pact- F° r the converse, suppose that P2' i (ri(m)) / act. Again, suppose that act is send l {new -info). 
Let (r', m', i') be a situation that i considers possible at time m in run r (i.e., such that conditions (a) and 
(b) above hold). Since i does not send left at the point (r, m), i' does not send left at the point (r', m'). 
Thus, by definition, close(do(send n (newJnfo)),P2',j br ' u ,r',m f ,i r ) = {(r', m', i')}. Since r 1 is 
a run of P2', and every agent eventually learns who the leader is in every run of P2', it follows that 
(J, r', m', i') |= 0B L (f = v), and hence 

(J~,r,m,i) \= -idoi(send n (newJnfo)) > 0(3n'( Calls(L, I, n')Ai?L(n / 'scont(nei(;_m/o)))v3f 
Thus, (J, r, m, i) \= ^<p se nd L (new.info)- This completes the proof. | 
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